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ETAPS Foreword 


Welcome to the 24th ETAPS! ETAPS 2021 was originally planned to take place in 
Luxembourg in its beautiful capital Luxembourg City. Because of the Covid-19 pan- 
demic, this was changed to an online event. 

ETAPS 2021 was the 24th instance of the European Joint Conferences on Theory 
and Practice of Software. ETAPS is an annual federated conference established in 
1998, and consists of four conferences: ESOP, FASE, FoSSaCS, and TACAS. Each 
conference has its own Program Committee (PC) and its own Steering Committee 
(SC). The conferences cover various aspects of software systems, ranging from theo- 
retical computer science to foundations of programming languages, analysis tools, and 
formal approaches to software engineering. Organising these conferences in a coherent, 
highly synchronised conference programme enables researchers to participate in an 
exciting event, having the possibility to meet many colleagues working in different 
directions in the field, and to easily attend talks of different conferences. On the 
weekend before the main conference, numerous satellite workshops take place that 
attract many researchers from all over the globe. 

ETAPS 2021 received 260 submissions in total, 115 of which were accepted, 
yielding an overall acceptance rate of 44.2%. I thank all the authors for their interest in 
ETAPS, all the reviewers for their reviewing efforts, the PC members for their con- 
tributions, and in particular the PC (co-)chairs for their hard work in running this entire 
intensive process. Last but not least, my congratulations to all authors of the accepted 
papers! 

ETAPS 2021 featured the unifying invited speakers Scott Smolka (Stony Brook 
University) and Jane Hillston (University of Edinburgh) and the conference-specific 
invited speakers Isil Dillig (University of Texas at Austin) for ESOP and Willem Visser 
(Stellenbosch University) for FASE. Inivited tutorials were provided by Erika Abraham 
(RWTH Aachen University) on analysis of hybrid systems and Madhusudan 
Parthasararathy (University of Illinois at Urbana-Champaign) on combining machine 
learning and formal methods. 

ETAPS 2021 was originally supposed to take place in Luxembourg City, Luxem- 
bourg organized by the SnT - Interdisciplinary Centre for Security, Reliability and 
Trust, University of Luxembourg. University of Luxembourg was founded in 2003. 
The university is one of the best and most international young universities with 6,700 
students from 129 countries and 1,331 academics from all over the globe. The local 
organisation team consisted of Peter Y.A. Ryan (general chair), Peter B. Roenne (or- 
ganisation chair), Joaquin Garcia-Alfaro (workshop chair), Magali Martin (event 
manager), David Mestel (publicity chair), and Alfredo Rial (local proceedings chair). 

ETAPS 2021 was further supported by the following associations and societies: 
ETAPS e.V., EATCS (European Association for Theoretical Computer Science), 
EAPLS (European Association for Programming Languages and Systems), and EASST 
(European Association of Software Science and Technology). 
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The ETAPS Steering Committee consists of an Executive Board, and representa- 
tives of the individual ETAPS conferences, as well as representatives of EATCS, 
EAPLS, and EASST. The Executive Board consists of Holger Hermanns (Saar- 
briicken), Marieke Huisman (Twente, chair), Jan Kofron (Prague), Barbara König 
(Duisburg), Gerald Liittgen (Bamberg), Caterina Urban (INRIA), Tarmo Uustalu 
(Reykjavik and Tallinn), and Lenore Zuck (Chicago). 

Other members of the steering committee are: Patricia Bouyer (Paris), Einar Broch 
Johnsen (Oslo), Dana Fisman (Be’er Sheva), Jan-Friso Groote (Eindhoven), Esther 
Guerra (Madrid), Reiko Heckel (Leicester), Joost-Pieter Katoen (Aachen and Twente), 
Stefan Kiefer (Oxford), Fabrice Kordon (Paris), Jan Křetínský (Munich), Kim G. 
Larsen (Aalborg), Tiziana Margaria (Limerick), Andrew M. Pitts (Cambridge), Grigore 
Rosu (Illinois), Peter Ryan (Luxembourg), Don Sannella (Edinburgh), Lutz Schröder 
(Erlangen), Ilya Sergey (Singapore), Mariélle Stoelinga (Twente), Gabriele Taentzer 
(Marburg), Christine Tasson (Paris), Peter Thiemann (Freiburg), Jan Vitek (Prague), 
Anton Wijs (Eindhoven), Manuel Wimmer (Linz), and Nobuko Yoshida (London). 

Id like to take this opportunity to thank all the authors, attendees, organizers of the 
satellite workshops, and Springer-Verlag GmbH for their support. I hope you all 
enjoyed ETAPS 2021. 

Finally, a big thanks to Peter, Peter, Magali and their local organisation team for all 
their enormous efforts to make ETAPS a fantastic online event. I hope there will be a 
next opportunity to host ETAPS in Luxembourg. 


February 2021 Marieke Huisman 
ETAPS SC Chair 
ETAPS e.V. President 


Preface 


This volume contains the papers accepted for the 24th International Conference on 
Foundations of Software Science and Computation Structures (FoSSaCS). The 
conference series is dedicated to foundational research with a clear significance for 
software science. It brings together research on theories and methods to support the 
analysis, integration, synthesis, transformation, and verification of programs and 
software systems. 

This volume contains 28 contributed papers selected from 88 paper submissions. 
Each submission was reviewed by at least three Program Committee members, with the 
help of external reviewers, and the final decisions took into account the feedback from 
a rebuttal phase. The conference submissions were managed using the EasyChair 
conference system, which was also used to assist with the compilation of these 
proceedings. 

We wish to thank all the authors who submitted papers to FoSSaCS 2021, the 
Program Committee members, the Steering Committee members, the external 
reviewers, and the ETAPS 2021 organizers. Due to the Covid-19 pandemic, ETAPS 
2021 was held online. 
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Constructing a universe for the setoid model 
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Abstract. The setoid model is a model of intensional type theory that 
validates certain extensionality principles, like function extensionality 
and propositional extensionality, the latter being a limited form of uni- 
valence that equates logically equivalent propositions. The appeal of this 
model construction is that it can be constructed in a small, intensional, 
type theoretic metatheory, therefore giving a method to boostrap ex- 
tensionality. The setoid model has been recently adapted into a formal 
system, namely Setoid Type Theory (SeTT). SeTT is an extension of 
intensional Martin-Lof type theory with constructs that give full access 
to the extensionality principles that hold in the setoid model. 


Although already a rich theory as currently defined, SeTT currently lacks 
a way to internalize the notion of type beyond propositions, hence we 
want to extend SeTT with a universe of setoids. To this aim, we present 
the construction of a (non-univalent) universe of setoids within the setoid 
model, first as an inductive-recursive definition, which is then translated 
to an inductive-inductive definition and finally to an inductive family. 
These translations from more powerful definition schemas to simpler ones 
ensure that our construction can still be defined in a relatively small 
metatheory which includes a proof-irrelevant identity type with a strong 
transport rule. 


Keywords: type theory - function extensionality - univalence - setoid 
model - induction-recursion - induction-induction 
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1 Introduction 


Intuitionistic type theory is a formal system designed by Per Martin-Lof to be 
a full-fledged foundation in which to develop constructive mathematics [23,24]. 
A central aspect of type theory is the coexistence of two notions of equality. On 
the one hand definitional equality, the computational equality that is built into 
the formalism. On the other hand “propositional” equality, the internal notion 
of equality that is actually used to state and prove equational theorems within 
the system. The precise balance between these two notions is at the center of 
type theory research; however, it is generally understood that to properly sup- 
port formalization of mathematics, one should aim for a notion of propositional 
equality that is as extensional as possible. 

Two extensionality principles seem particularly desirable, since they arguably 
constitute the bare minimum for type theory to be comparable to set theory as a 
foundational system for set-level mathematics, in terms of power and ergonomics. 
One is function extensionality (or funext), according to which functions are equal 
if point-wise equal. Another is propositional extensionality (or propext), that 
equates all propositions that are logically equivalent. 

Type theory with equality reflection, also known as extensional type theory 
(ETT) does support extensional reasoning to some degree, but unfortunately 
equality reflection makes the problem of type-checking ETT terms computa- 
tionally unfeasible: it is undecidable. 

On the other hand, intensional type theory (ITT) has nice computational 
properties like decidable type checking that can make it more suitable for com- 
puter implementation, but as usually defined (for example, in [23]) it severely 
lacks extensionality. It is known from model constructions that extensional prin- 
ciples like funext are consistent with ITT. Moreover, ITT extended with the 
principle of uniqueness of identity proofs (UIP) and funext is known to be as 
powerful as ETT [19]. We could recover the expressive power of ETT by adding 
these principles to ITT as axioms, however destroying some computational prop- 
erties like canonicity. 

What we would like instead is a formulation of ITT that supports exten- 
sionality, while retaining its convenient computational behaviour. Unfortunately, 
canonicity for Martin-Lof’s inductively defined identity type says that if two 
terms are propositionally equal in the empty context, then they are also defi- 
nitionally equal. This rules out function extensionality. The first step towards 
a solution is to give up the idea of propositional equality as a single inductive 
definition given generically for arbitrary types. Instead, equality should be spe- 
cific to each type former in the type theory, or in other words, every type former 
should be introduced alongside an explanation of what counts as equality for its 
elements. 

This idea of pairing types together with their own equality relation goes 
back to the notion of setoid or Bishop set. Setoids provide a quite natural and 
useful semantic domain in which to interpret type theory. The first setoid model 
was constructed to justify function extensionality without relying on funext in 
the metatheory [18]. Moreover, it was shown by Altenkirch [4] that if the model 
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construction is carried out in a type theoretic metatheory with a universe of strict 
(definitionally proof-irrelevant) propositions, it is possible to define a univalent 
universe of propositions satisfying propositional extensionality. The setoid model 
thus satisfies all the extensionality principles that we would like to have in a set- 
level type theory * . The question is whether there exists a version of intensional 
type theory that supports setoid reasoning, and hence the forms of extensionality 
enabled by it. 

This question was revisited and answered in Altenkirch et al. [5]. In this 
paper, the authors define Setoid Type Theory (SeTT), an extension of inten- 
sional Martin-Lof type theory with constructs for setoid reasoning, where funext 
and propext hold by definition. SeTT is based on the strict setoid model of 
Altenkirch®, which makes it possible to show consistency via a syntactic trans- 
lation. This is in contrast with other type theories based on the setoid model, 
like Observational Type Theory [9] and XTT [28], which instead rely on ETT 
for their justification. A major property of SeTT is thus to illustrate how to 
bootstrap extensionality, by translation into a small intensional core. 

SeTT as defined in [5] is already a rich theory, but its introspection capabili- 
ties are currently lacking, as its universes are limited to propositions. We would 
like to internalise the notion of type in SeTT, thus extending the theory with a 
universe of setoids. This goal brings up several questions, one of which has to do 
with the notion of equality with which the universe should come equipped: the 
universe of setoids is itself a setoid (as any type is) so it certainly cannot be uni- 
valent, since setoids lack the necessary structure. Another issue is the way such 
universe can be justified by the setoid model, and in particular what principles 
are needed in the metatheory to do so. 


Contributions This paper documents our work towards the construction of a 
universe of setoids inside the setoid model, and tries to answer these and other 
questions related to the design and implementation of this construction. Our 
main contribution is the construction of the universe in the model; this is given 
in steps, first as an inductive-recursive definition, which is then translated to 
an inductive-inductive definition, and subsequently to an inductive type. As a 
consequence, we show that we only need to assume indexed W-types and proof- 
irrelevant identity types in the metatheory (along with some obligatory basic 
tools like X and J types) to construct the universe. 

The universe constructions presented in this paper are, to our knowledge, the 
first examples of two kinds of data type reductions in an intensional metatheory: 
the first involving an inductive-recursive type which includes strict propositions, 
and the second involving an infinitary inductive-inductive type. 

Finally, the mathematical contents of this paper have been formalized in the 
proof-assistant Agda (see [10]). 


Structure of the paper We begin by describing the metatheory that we will use 
throughout the paper, in Section 2. In Section 3, after briefly recalling cate- 


5 In the sense of HoT'T we mean a type theory limited to h-sets. 
° A strict model is one where every equation holds definitionally. 
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gories with families as an abstract notion of models of type theory, we outline 
Altenkirch’s setoid model as given in [5]. We then briefly discuss the rules of 
Setoid Type Theory in Section 3.2. 

In Section 4 we discuss the setoid model and various design choices related to 
it. We then recall inductive-recursive universes, and the way they can be equiv- 
alently defined as a plain inductive definition, in Section 4.1. We then provide, 
in Section 4.2, a first complete definition of the setoid universe using a special 
form of induction-recursion. This form of induction-recursion is not known to 
be reducible to plain inductive types. Then we describe an alternative definition 
of the universe in Section 4.3, that does not rely on induction-recursion but in- 
stead on infinitary induction-induction. This inductive-inductive encoding of the 
universe is obtained from the inductive-recursive one, inspired by the method of 
Section 4.1. We end the series of universe constructions with Section 4.4, where 
we outline a purely inductive definition of the setoid universe, obtained from the 
inductive-inductive one. 


1.1 Related work 


The setoid model was first described in [18] in order to add extensionality princi- 
ples to Type Theory such as function extensionality and propositional extension- 
ality. A strict variant of the setoid model was given in [4] using a definitionally 
proof-irrelevant universe of propositions. Recently, support for such a universe 
was added to the proof-assistants Agda and Coq [17], allowing a full formal- 
ization of Altenkirch’s setoid model. Setoid Type Theory (SeTT) is a recently 
developed formal system derived from this model construction [5]. Observational 
Type Theory (OTT) [9] is a syntax for the setoid model differing from SeTT 
in the use of a different notion of heterogeneous equality. Moreover, the consis- 
tency proof for OTT relies on Extensional Type Theory, whereas for SeTT it 
is obtained via a syntactic translation. XTT [28] is a cubical variant of OTT 
where the equality type is defined using an interval pretype ” . XTT’s universes 
support universe induction, whereas it is left open whether the construction 
presented here supports this principle. Palmgren and Wilander [27] construct a 
setoid universe using a translation into constructive set theory. Palmgren [26] 
constructs an encoding of ETT in ITT through Aczel’s encoding of set theory 
in type theory [3]. He uses type theory as a language for his formalisation but 
his construction is set-theoretic in nature. Setoids are utilized to encode sets as 
arbitrarily branching well-founded trees quotiented by bisimulation. His notion 
of family of setoids does not use strict propositions and it has a weaker form of 
proof irrelevance which seems to be not enough to obtain a model of SeTT. 
The principle of propositional extensionality in the setoid model is an in- 
stance of Voevodsky’s univalence axiom [29]. The cubical set model is a con- 
structive model justifying this axiom [11]. A type theory extracted from this 
model is Cubical Type Theory [13]. The relationship between the cubical set 


T To quote one of the referees: the fact that the interval is a pretype is but the easiest 
part of the story. 
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model and cubical type theory is similar to that between the setoid model and 
SeTT. Compared to cubical type theories, SeTT has the advantage that the 
equality type satisfies more definitional equalities. For instance, whereas in cu- 
bical type theory equality of functions is isomorphic to pointwise equality, in 
SeTT the isomorphism is replaced by a definitional equality. SeTT is also a syn- 
tactically straightforward extension of Martin-Löf Type Theory, that does not 
require exotic objects like the interval pretype. In turn, the obvious advantage 
of cubical type theory is that it is not limited to setoids. 

An exceptional aspect of the metatheory used in this paper is the presence 
of a proof-irrelevant identity type with a strong transport rule allowing to elim- 
inate into arbitrary types. In [1], Abel gives a proof of normalization for the 
Logical Framework extended with a similar proof-irrelevant equality type. Abel 
and Coquand show in [2] that the combination of impredicativity with a strong 
transport rule results in terms that fail to normalize but this is irrelevant in our 
setting. 


2 MLTTProp 


This section describes MLTT??®?, our ambient metatheory. We employ Agda 
notation to write down MLTT??®P terms throughout the paper. 

One of the main appeals of Altenkirch’s setoid model is that it can justify 
several useful extensionality principles while being defined in a small intensional 
metatheory. We tried to stay true to this idea when figuring out the necessary 
metatheoretical tools for the universe construction in this paper. In particular, 
we wanted to avoid having to assume strong definition schemas that go beyond 
inductive families. MLTTP?°P is thus an intensional type theory in the style of 
Martin-Lof type theory. 

We have sorts Type; of types and Prop; of strict propositions for i € {0,1}. 
Here, i = 0 means “small” (and we will omit the subscript) and 7 = 1 means 
“large”. We have implicit lifting from 7 = 0 to i = 1, but do not assume type 
formers are preserved. Type, has universes for Type and Prop. We do not 
distinguish notationally between universes and sorts. We continue to describe 
only the case 1 = 0; everything introduced has an analogue at level 7 = 1. 
Propositions lift to types via Lift : Prop + Type, with constructor lift : {P : 
Prop} > P > Lift P and destructor unlift : {P : Prop} > Lift P > P. 

We have standard type formers I, X, Bool, 0,1 in Type. X-types are defined 
negatively by pairing —,— and projections 7,72. We have definitional 7-rules 
for IT-, X-, 1-types. We also require indexed W-types, both in Type and Prop: 
Wo: (S : I => Type) > (ji: I) > S i => I —- Type) > I > O where 
€ {Type, Prop}. The elimination principle of Wprop only allows defining 
functions into elements of Prop. From Wpyop we can define propositional trun- 
cation ||—|| : Type — Prop, with constructor |-| : {A : Type} > A > |All 
and eliminator elimy_| : {P : Prop} > (A > P) > ||Al| > P. 

In addition to type formers in Type, we will need the propositional versions 
of 0, 1, JI, and X. The latter three can be defined from their Type counterparts 
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via truncation. That is, given P : Prop and Q : P > Prop: 


1Prop ‘= ||1|| 
TTprop P Q := |[II (Lift P) (Lift o Q o unlift)|| 
prop P Q := |X (Lift P) (Lift o Q o unlift)|| 


We assume that we have OProp : Prop together with exfalsoProp : {A : Type} > 
Oprop >A. 

Finally, we will assume an identity type in the style of Martin-Löf’s inductive 
identity type. The main difference is that our identity type is a Prop-valued 
relation. We have a transport combinator transp from which J is derivable. 


Id: {A : Type} > A —> A- Prop 
refl : {A : Type}(a: A) > Idaa 
transp : {A : Type}(C : A > Type){ao aı : A} > Id ao ay > C ao > C ai 


with transp C {x} {x} e u = u. The transp combinator provides a strong elim- 
ination principle allowing to eliminate a strict proposition (the identity type) 
into arbitrary types. We only use this identity type in Section 4.4. For the rest 
of our constructions, the traditional Martin-Löf’s identity type suffices. 


2.1 Formalization 


A universe of strict propositions has been recently added to the Agda proof assis- 
tant [17], making most of MLTT®™®P a subset of Agda, with the exception of the 
proof-irrelevant identity type. Most of the universe constructions presented here 
have been formalized and proof-checked using Agda, with the proof-irrelevant 
identity type and the strong transport rule added via postulates and rewriting. 
The formalization can be found in [10]. 

For convenience, we slightly deviate from MLTT??®P both in the paper and 
in the formalization, for instance by relying on pattern matching instead of elim- 
inators, and using primitive versions of Prop-valued IT and X types instead of 
deriving them from truncation. We operate under the assumption that every- 
thing can be equivalently carried out in MLTT??®?P, although we have not fully 
checked all the necessary details. 


3 Setoid model 


By setoid model we mean a class of models of type theory where contexts/closed 
types are interpreted as setoids, i.e. sets with an equivalence relation, and de- 
pendent types are interpreted as dependent /indexed setoids. A setoid model was 
first given for intensional type theory by M. Hofmann [18], in order to provide 
a semantics for extensionality principles such as function and propositional ex- 
tensionality. 
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Here we consider a similar model construction due to Altenkirch [4]. The 
peculiarity of this model is that it is presented in a type theoretic and intensional 
metatheory which includes a strict universe of propositions. 

The setoid model thus defined validates function extensionality, a universe of 
propositions with propositional extensionality, and quotient types. Therefore, it 
provides a way to bootstrap and “explain” extensionality, since the model con- 
struction effectively gives an implementation of various extensionality principles 
in terms of a small, completely intensional theory. 


3.1 Setoid model as a CwF 


The setoid model can be framed categorically as a category with families (CwF, 
[14]) with extra structure for the various type and term formers. The core struc- 
ture of a CwF can be given as the following signature: 
Con : Type 
Ty : (I : Con) > Type 
Sub : (I A: Con) > Type 
Tm: (I : Con) > Ty > Type 


In our presentation of the setoid model, contexts are given by setoids, that is, 
types together with an equivalence relation. A key point of the model is that the 
equivalence relation is valued in Prop and is thus definitionally proof irrelevant. 


T : Con 


|T|: Type 

D~ : |r| > |£| > Prop 
refl I: (y: |D) >My 
sym P : Y{yo y1} > T” yo %1 > T” 7170 
trans I : V{yo y1 y2} > T~ y y1 > IT” y y2 > T” yo %2 


Types in a context I are given by displayed setoids over I’ with a fibra- 
tion condition given by coe, coh. In the following, we sometimes omit implicit 
quantifications such as the V{yo yı} in the type of sym F. 


A:Ty r 


|A| : || => Type 
A~ : {90 1: [T] > T y 1 > |Alyo > |All > Prop 
refl* : {7 : |['|}(a: |Aly) > A~ (refl r y)aa 
sym* : V{yo 71 ao aı Hp : I~ yo y1} > A~ p ao aı > A™ (sym T p) aı ao 


trans* : A~ po ao a1 > A™ pi ai ag —> A™ (trans T po pı) ao a2 
coe: I~ yo y1 > |Alyo > [Aly 
coh: (p: I~ yo 71) (a: |Alyo) > A~ pa (coe A pa) 
This definition of types in the setoid model is different from the one in [4], 


but it is equivalent to it [12, Section 1.6.1]. The main difference here is in the 
use of a heterogeneous equivalence relation A~ in the definition of types. 
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Substitutions are interpreted as functors between the corresponding setoids, 
whereas terms of type A in context I are sections of the type seen as a se- 
toid fibration T.A — T. Note that we only need to include components for the 
functorial action on objects and morphisms, since the functor laws follow from 
proof-irrelevance in the metatheory, and thus hold definitionally. 


o:Sub A t:Tm rA 
lo]: |T] > |Al ltl: Gr |T) > Aly 
o™ : I~ po pı > AX (|o|po) (lolp1) t~: (p: I” yo 11) > A~ p (ltl) (lti) 


We can show that the setoid model validates the usual basic type formers 
(II, X, etc.), function extensionality and a universe of strict propositions with 
propositional extensionality [4]. Note that we do not need identity types or in- 
ductive types (W-types) for this. 


3.2 Setoid Type Theory 


The setoid model presented in the previous section is strict, that is, every equa- 
tion of a CwF holds by definition in the semantics. One advantage of strict 
models is that they can be turned into syntactic translations, in which syntactic 
objects of the source theory are interpreted as their counterparts in another tar- 
get theory. In the case of the setoid model, this gives rise to a setoid translation, 
where source contexts are interpreted as target contexts together with a target 
type representing the equivalence relation, and so on.® 

A setoid translation is used in [5] to justify Setoid Type Theory (SeTT), an 
extension of Martin-Lof type theory (+ Prop) with equality types for contexts 
and dependent types that reflect the setoid equality of the model. 

We recall the rules of SeTT that extend regular MLTT below, but with 
a variation: whereas the equality types in [5] are stated as elements of SeTT’s 
internal universe of propositions, here we state the context equalities as elements 
of the external, metatheoretic universe Prop. This generalises the notion of 
model of SeTT thus making it easier to construct models. Equality on types is 
defined as before in [5]. 

We have a universe of propositions Prop defined as follows: 


T : Con P : Tm I Prop ui TmT P v:Tm I P 
Prop: Ty T’ Ply £ u=v 


Equality type constructors for contexts and dependent types internalize the 
idea that every context and type comes equipped with a setoid equivalence rela- 
tion. Note that Prop is the universe of the metatheory while Prop is the internal 


8 Semantically, this translation corresponds to a model construction, in particular a 
functor from the category of models of the target theory to the category of models 
of what will be Setoid Type Theory. Since the setoid translation is structural in the 
context component, we can work with models in the style of categories with families 
rather than contextual categories. 
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one. As in the model, equality for dependent types is indexed over context equal- 
ity. 
A:Ty I por: T™ po pi 
I’: Con po, pı : Sub ATL ao: Tm A Afpo] aı : Tm A Afpı] 
I~ po pi: Prop A™ poi ao aı : Tm A Prop 


We have rules witnessing that these are indeed equivalence relations. We only 
recall reflexivity: 


p:Sub Ar A:Ty r p:Sub AT a: Tm A Af[p] 
Rp:I~ pp Ra:TmT A~“ (Rp)aa 


In addition, we also have rules representing the fact that every construction in 
SeTT respects setoid equality, so that we can transport along any such equality: 


A:Tyr po, pı : Sub ATL p:I™~ po pi a:Tm A Afpo] 
coea pa: Tm A Alpi] 
coha pa: Tm A A” pa (coea pa) 


Notably, equality types in SeTT compute definitionally on concrete type 
formers. In particular, they compute to their obvious intended meaning, so that 
an equality of pairs is a pair of equalities, an equality of functions is a map 
of equalities, and so on. From this, we get definitional versions of function and 
propositional extensionality. 

We can easily recover the usual Martin-Lof identity type from setoid equality, 
with transport implemented via coercion. 


A:Ty r ao,a1:TmI A 
Ida ao a1 := AW (RTI) ao a : Tm I Prop 


P : Ty (T.A) p:Tm TI (Id A ao ai) t: Tm T Pfao] 
transp P p t := coe P (R id, p) t: Tm I Play] 


We can also derive Martin-Löf’s J eliminator for this homogeneous identity 
type. The only caveat is that transp and the J eliminator do not compute defi- 
nitionally on reflexivity. 


4 Universe of setoids 


As pointed out in the introduction, SeTT is seriously limited by the lack of a 
universes internalizing the notion of setoid. Our goal is to extend SeTT with 
a universe of setoids; since SeTT is a direct syntactic reflection of the setoid 
model, this essentially amounts to showing that a universe of setoids with the 
necessary structure and equations can be constructed within the setoid model. 
This opens several questions and possible design choices. 

A first fundamental consideration has to do with the very definition of the 
setoid universe: as any type in the setoid model, this universe must be a setoid 
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and thus come equipped with an equivalence relation. However, unlike the uni- 
verse of propositions, a universe of setoids cannot be univalent, since this would 
force it to be a groupoid. The obvious choice is therefore to have a non-univalent 
universe, and instead define the universe’s relation so that it reflects a simple 
syntactic equality of codes rather than setoid equivalence. 

Another question has to do with the metatheoretic tools required to carry 
out the construction of the universe. In fact, one of the main aspects of the setoid 
model construction recalled in Section 3 and shown originally in [4] is that it 
can be carried out in a very small type theoretic metatheory, thus providing a 
way to reduce extensionality to a small intensional core. We would like to stay 
faithful to this ideal when constructing this setoid universe. 

A known and established method for defining universes in type theory relies 
on induction-recursion (IR), a definition schema developed by Dybjer [15,16]. 
Inductive-recursive definitions can be found throughout the literature, from the 
already mentioned type theoretic universes, including the original formulation 
à la Tarski by Martin-Lof [24], to metamathematical tools like computability 
predicates. 

Although universe constructions in type theory—including our own setoid 
universe—are naturally presented as inductive-recursive definitions, they may 
not necessarily require a metatheory with induction-recursion. In fact, it is pos- 
sible to reduce some instances of induction-recursion to plain induction (more 
specifically, inductive families), including some universe definitions. We recall 
this reduction in Section 4.1. 

Other design choices on the setoid universe are less essential, but still require 
careful consideration. For instance, one question is whether the setoid universe 
should support universe induction, thus exposing the inductive structure of the 
codes. Such an elimination principle is known to be inconsistent with univalence, 
although this is not an issue in our case; nevertheless it is not immediately clear 
if the elimination principle can be justified by the semantics, that is, if our encod- 
ing of the setoid universe in the model allows to define such a universe eliminator. 
The question arises because our final encoding of the setoid universe only sup- 
ports a weak form of elimination, for reasons that are explained in Section 4.4. 
Although not currently needed, a stronger eliminator might be necessary to jus- 
tify universe induction. This problem should not arise in the other encodings of 
the setoid universe (as given in Section 4.2 and Section 4.3). 

Another design choice has to do with how the setoid universe relates to 
the other universes. One could provide a code for Prop in the setoid universe. 
Moreover, the setoid universes could form a hierarchy, possibly cumulative. 

Yet another choice is whether to have two separate sorts, one for propositions 
and one for sets (with propositions convertible to sets) or a single sort of types 
(sets), with propositions given by elements of a universe of propositions, which 
is a (large) type. We have chosen to present the second option to fit with the 
standard notion of (unisorted) CwF. However, this has downsides: to even talk 
about propositions, we need to have a notion of large types. The first option is 
more symmetric: we can have parallel hierarchies for propositions and sets. 
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4.1 Inductive-recursive universes 


An inductive-recursive universe is given by a type of codes U : Type, and a 
family El: U — Type that assigns, to each code corresponding to some type, 
the meta-theoretic type of its elements. The resulting definition is inductive- 
recursive because the inductive type of codes is defined simultaneously with the 
recursive function El. 

An example is the following definition of a small universe with bool and J. 


data U : Type El :U— Type 
bool : U El bool := 2 
pi: (A: U) > (El1A—+U)—+U El (pi A B) := (a: El A) > El (Ba) 

Induction-recursion is arguably a nice and natural way to define internal 
universes in type theory, however it is not always strictly required. We can 
translate basic instances of induction-recursion into inductive families using the 
equivalence of J-indexed families of types and types over I (that is, A : Type 
with A > I) [22]. 

In our case, we can encode U as an inductive type inU that carves out all 
types in Type that are in the image of El. In other words, inU is a predicate 
that holds for any type that would have been obtained via El in the inductive- 
recursive definition. As El is indexed by the type of codes, the definition of inU 
quite expectedly reflects the inductive structure of codes. 


data inU : Type > Type, 
inBool : in-U 2 
inPi :inU A > ((a: A) > inU (B a)) > inU ((a: A) > (B a)) 


U and El can be given by U := X (A: Type) (in-U A) and El := 7. 

Note that this construction gives rise to a universe in Type}, rather than 
Type, since the definition of U quantifies over all possible types in Type. Hence 
this kind of construction requires a metatheory with at least one universe. 


4.2 Inductive-recursive setoid universe 


In this section we give a first definition of the setoid universe, as a direct general- 
ization of the simple inductive-recursive definition just shown. We only consider 
a very small universe with bool type 2 and H for simplicity; a more realistic uni- 
verse that includes more type formers can be found in the Agda formalization. 

To construct the universe of setoids in the setoid model, we first of all need 
to define a type U : Ty T for every I : Con, and for every A: Tm I’ Ua 
type El A: Ty I’. Recalling Section 3, these are essentially record types made 
of several components. Since U is a closed type, it requires the same data of 
a setoid; in particular, we need a type of codes together with an equivalence 
relation reflecting equality of codes, in addition to proofs that these are indeed 
equivalence relations: 


refly : (A : U) > Anu A 


data U : Type 
ype: symų : A ~u Bo B ~u A 


~u ~ :U =U — Prop, 
transy : Any Bo B ~u C > A ~u C 
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El is given by a family of setoids indexed over the universe, that is, a way to 
assign to each code in the universe a carrier set and an equivalence relation. 
El : U — Type 
-F - ~g: {ad :U}—> a~u ad + Ela— Ela’ > Prop 
Note that — F — ~g — is indexed over equality on the universe, because El is 


a displayed setoid over U, hence in particular it must respect the setoid equality 
of U. We also require data and proofs that make sure we get setoids out of El: 


A:U)(a:El A) > refly AF x ~e a 


refle S ( 
SyMg : pF area’ > symy pha ~e g 


transe : pF £ ~el r > qk a’ ~g g” > transy p qF x ~ r” 
coeg : Any B => El A => El B 
cohe : (p : A ~u A’) (x: El A) > pF & ~e coeg p £ 


We give an inductive definition of U, mutually with a recursive definition of 
the 4 functions — ~u —, refly, El and — F — ~eg —. The other functions are then 
recursively defined: reflg; alone, sym,, and symg mutually, transy, transgı, coeg 
and cohg; mutually. The whole construction is quite long, below we only show 
the more interesting definitions of U and El: 


data U : Type, El bool := 2 
bool : U El (pi A B h) := 
pi: (A:U)(B:El AU) X (f: (a: El A) > El (B a)) 
— ({a x: El A} refly AF x ~e a’ (V{a a} (p: refly AF x ~e 2’) 
> Bary B2')oUu >hpH fave f 2’) 


Note that in the definition of U we require that the family B : El A> U bea 
setoid morphism, respecting the setoid equalities involved. This choice is crucial 
for the definition of El to go through, in particular since we eliminate the code 
for IT types into the setoid of functions that map equal elements to equal results. 
To state this mapping property we need to compare elements in different types, 
coming from applying f to different arguments x and x’. We know that x and z’ 
are equal, but to conclude B x ~u B x’ we need to know that B respects setoid 
equality. This is exactly what we get from our definition of U. 

We can now give a full definition of the setoid universe, and of El A for any 
A:TmTI U: 


[U| := Ay.U [El A| := Ag. El (A| y) 

U” :=Apry.@~u y (El A)~ :=Apary.A~ pF z ~ve y 
refl U := refly refl (El A) := refle 
coe U:=Apa.a coe (El A) := Ap. coeg (A~ p) 


coh U := Ap. reflu coh (El A) := àp. cohe (A™ p) 
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We can show that U is closed under JJ types and booleans, and satisfies 
El (pi A B) = H (El A) (El B) and El bool = Bool. The universe can be closed 
under more constructions if more codes are added to U. This gives a complete 
definition of a universe of setoids, which is, however, inductive-recursive. More- 
over, the kind of recursion involved in this definition is particularly complex, 
and not obviously reducible to well-understood notions of induction-recursion 
like the one described in [16]. In any case, we would like to avoid extending the 
metatheory with any form of induction-recursion in order to keep the metatheory 
as small and essential as possible. 

In the next section we transform our current inductive-recursive definition to 
one that does not use induction-recursion. The way this is done is inspired by 
the well-known trick to eliminate induction-recursion described in Section 4.1, 
but modified in a novel way to account for the presence of Prop-valued types. 
To our knowledge, this is the first time this reduction method is applied to an 
inductive-recursive type of this kind. 


4.3 Inductive-inductive setoid universe 


We will follow the method outlined in Section 4.1. In addition to inU for defining 
U, we also introduce a family inU~ of binary relations between types in the 
universe, from which we then define — ~y —. 
data inU : Type > Type, 
bool : inU 2 
T :inU~xaa An > (V{xo xi}(xo1 : Ån zo zı) —> inU~ (b zo) (b zı) (Ba Xo1)) 
> inU (£ (f:(a@:A)> Ba) 
((xo Ti : A)(xo1 2 Ac To wi) > Bra £01 (f zo) (f x1))) 


data inU~ : {A A’: Type} > inU A inU A’ > (A > A’ > Prop) > Type, 


bool, : inU~ bool bool (Axo zı . £o 2y zı) 
Tu: {bo : (£o : Ao) > inU (Bo zo)}{b1 : (xı : A1) > inU (By z1)} 
{aon : inU~ ao ao Aon Hain : inU~ ay ar Ain} 
{bo~ : V{xo z1 }(z01 : Ao~ zo £1) + inU~ (bo zo) (bo x1) (Bo~ xo1)} 
{bin : V{xo z1 }(z01 : A1~ zo £1) > inU~ (bı zo) (bı x1) (Bin xo1)} 
— inU~ ao ai Aoin~ 
> (V{xo z1} (£01 : Ao1~ Lo z1) > inU~ (bo zo) (bı z1) (Boi~ zo1)) 
— inU~ (r ao dow bo bow) (7 a1 ain bi bin) 


(Afo fi - Y(zo #1) + Aois Lo 41 > Born zor (Tı fo Lo) (mı fi £1)) 


Just as the role of inU is, as before, to classify all types that are image of El, 
in the same way inU~ a a’ classifies all relations of type A > A’ — Prop that 
are image of — F — ~g —, given proofs a: inU A,a’ : inU A’. In particular, this 
definition of inU~ states that the appropriate gouvene: for boolean elements 


is the obvious syntactic equality — 2 —, whereas functions are to be compared 
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pointwise. Note that inU appears in the sort of inU~. Since these types are 
mutually defined, they form an instance of induction-induction, a schema that 
allows the definition of a type mutually with other types that contain the first 
one in their signature [25].° 

As in the universe example in Section 4.1, we now define U as a X type, and 
El as the corresponding first projection. 


U : Type, El : U — Type 
U := X (X : Type) (inU X) El := mı 


What is left now is to define the setoid equality relation on the universe, as 
well as the setoid equality relation on El A for any A in U. Two codes A, B in 
the universe U are equal when there exists a setoid equivalence relation on their 
respective sets El A and El B. Intuitively, since elements of a setoid are only ever 
compared to elements of the same setoid, this should only be possible if A and B 
are codes for the same setoid, that is, if A ~u B. Existence and well-formedness 
of such relations is expressed via the type inU~ just defined, hence we would 
expect A ~u B to be defined as follows: 


(A, a) ~u (B,b) := X (R: A > B > Prop) (inU~ a b R) 


Unfortunately this definition only manages to capture the idea, but does 
not actually typecheck. In fact, — ~u — should be a Prop,-valued relation, so 
A ~u B should be a proposition. However, the X type shown above clearly is 
not, since it quantifies over a type of relations, which is not a proposition. One 
possible solution is actually quite simple, and it just involves truncating the X 
type above to force it to be in Prop,. 


~u —:U—-+U — Prop, 
(A, a) ~u (B, 6) := |X (R : A > B > Prop) (inU~ a b R)|| 


We are now left to define the indexed equivalence relation on El: 


—~F-ng—-:{AB:U} > A ~u B >El A EI B — Prop 
pKanrgy:=? 


In the definition above, p has type |X (R : EILA > EIB —> Prop) (...)]]. 
If the type was not propositionally truncated, we could define p F x ~g y by 
extracting the relation out of the first component of p, and apply it to x,y. 
That is, pH x ~g y:= mı pry. This would make the definition of — ~y — and 
-F — ~g — in line with how we defined U and El. 

However, this does not work in our case, since the type of p is propositionally 
truncated, hence it cannot be eliminated to construct a proof-relevant object. 
Fortunately, we can work around this limitation by defining p F x ~g y by 
induction on the codes A B : U, in a way that ends up being logically equivalent 
to the proposition we would have obtained by 7; p x y if there were no truncation. 


° The main example of induction-induction is the intrinsic definition of a dependent 
type theory in type theory [6]. 
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More precisely, we need to construct proofs that for any concrete R and inR, the 
types |(R,inR)| z ~e y and R x y are logically equivalent. These in turn need 
to be defined mutually with — F — ~g —. We direct the interested reader to 
the Agda formalization for the full details of these definitions, as they are quite 
involved. 

The full definition of the universe is concluded with the remaining definitions, 
like refly, refle, etc., which can be adapted from their IR counterparts more or 
less straightforwardly. The final result does not use induction-recursion, but it is 
nevertheless an instance of infinitary induction-induction. The ability to define 
arbitrary, infinitary inductive-inductive types clashes, again, with our objective 
of keeping the metatheory as small and simple as possible. The next step is 
therefore to reduce this inductive-inductive universe to one that does not require 
(infinitary) induction-induction. 


4.4 Inductive setoid universe 


This section encodes the inductive-inductive universe of setoids from the pre- 
vious section without assuming arbitrary inductive-inductive definitions in the 
metatheory. 

Before turning our attention to the setoid universe, we recall the known, sys- 
tematic method to reduce finitary inductive-inductive types to inductive families. 


Reducing finitary induction-induction It is known that finitary inductive- 
inductive definitions can be reduced to inductive families [8,7,21]. To illustrate 
the idea, let us consider a well-known example of a finitary inductive-inductive 
type, the intrinsic encoding of type theory in type theory itself. Actually, we 
only consider the type of contexts Con : Type and the type of types Ty : Con > 
Type; since the latter is indexed over the former, this is already an example of 
induction-induction. 

Contexts in Con are formed out of empty contexts e and context extension 
—, —. Types in Ty are either the base type ų¿ or IT types. 


e : Con t: (T : Con) > Ty T 
—,— : (I : Con) > Ty I’ > Con IT: {T : Con}(A: Ty T) > Ty (T, A) > Ty r 


The general method to eliminate induction-induction is to split the original 
inductive-inductive types into a type of codes and associated well-formedness 
predicates. In our Con/Ty example, these would be respectively given by codes 
Cono, Tyg : Type and predicates Con; : Cono —> Type, Ty; : Cono > Tyg > 
Type. 

The definition of the codes and predicate types follows that of the original 
inductive-inductive type, and can be derived systematically from it. More im- 
portantly, they can be defined without induction-induction, since although Cong 
and Ty, are defined mutually, their sorts are not indexed. 
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e; : Con, eo 
=, — : {Io Ao} > Com Io > Ty, Io Ao 
— Con: (Io ,o Ao) 
tı : V{Io} + Con; Io > Ty, To (to To) 
I :Y{T As Bo} > Cony To 
> Ty, Io Ao > Ty; (Io ‚o Ao) Bo 
+ Ty; To (Io To Ao Bo) 
We can recover the original inductive-inductive type as Con := X (Ip : 
Cono) (Con, Io) and Ty F := X (Ao : Tyo) (Ty; (mı T) Ao). Recovering the 
constructors is straightforward: 


eo : Cono 


„o — : Cono —> Tyg — Cono 
to : Cono + Tyo 
Io : Cono > Tyo > Tyo > Tyo 


° = (eo, 01) 

(To, 11), (Ao, A1) := ((I0 50 Ao), (L1,1 A1)) 

(To; £1) := (to Io, t1 Ti) 

TI {1,11} Ao, A1)(Bo, Bi) := (Io Io Ao Bo, Hy Ti Ai Bi) 


Finally, we can define eliminators/induction principles for Con and Ty as just 
defined, by induction on the well-typing predicates. 

Following [25], we distinguish two versions of the eliminator: the simple and 
the general one. Note that this is orthogonal to the distinction between non- 
dependent and dependent eliminators, from which we only consider the latter. 
The motives for the simple eliminator are C’ : Con + Type, T” : (I : Con)(A: 
Ty T`) > Type and the eliminators themselves have the following signatures: 


elimgon : (I : Con) > © T elim : THA: Ty T) 9 T' TA 


In the case of the general eliminator, the motive for Ty depends on the motive 
for Con, making the two eliminators recursive-recursive functions. For motives 
C : Con > Type and T : (I : Con) > Ty I > C I > Type the signatures are: 


elimcon : (I : Con) > C T elimqy : {THA : Ty T) 3 TTL A (elimcon T) 


The general eliminators can be derived from our encoding of Con and Ty via 
untyped codes and well-typing predicates. The way to do it is to first define the 
graph of the eliminators in the form of inductively-generated relations: 


data R-Con : (I : Con) > C I > Type 
data R-Ty :{I :Con}(A : Ty T)(y:C Tr)>T T Ay —> Type 


The next step is to prove that these relations are functional, by induction on 
the untyped codes Cong and Ty, [21]. From this result, defining the eliminators 
is immediate. 


Reducing the setoid universe The reduction described in the previous sec- 
tion works generically for an arbitrary finitary inductive-inductive type, thus 
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giving a systematic way to reduce finitary inductive-inductive definitions to in- 
ductive families. However, it is not clear whether this method extends to in- 
finitary induction-induction, of which the setoid universe defined in Section 4.3 
is an instance. Of course, the absence of a general reduction method does not 
mean that we cannot reduce particular concrete instances of infinitary induction- 
induction, which is exactly what we hope for our universe construction. 

The obvious challenge in successfully completing this reduction is to avoid 
the need for extensionality in the metatheory. In fact, consider the simple in- 
finitary inductive-inductive type obtained from the previous Con/Ty example by 
replacing the finitary constructor J with an infinitary one: M : {© : Con} > 
(N > Ty T) > Ty T. Already with this simple example, we run into prob- 
lems as soon as we try to define the eliminator. One issue is that the definition 
of the eliminator relies on a proof that the well-typing predicates inU;, inU~, 
are propositional, that is, any two of their elements are equal. Without further 
assumptions this proof can only be done by induction, and requires function 
extensionality since these predicates include higher-order constructors. 

One way to get around this is to define the well-typing predicates as Prop- 
valued families, rather than in Type: 


data inUp : Type > Type, 

data inU~o : {A A’: Type} > (A > A’ > Prop) > Type, 

data inU,; :(A: Type) > inUo A— Prop, 

data inUx; : {A A’: Type} > (R : A => A’ > Prop) > inU~o R —> Prop, 


Using Prop avoids the issue of proving propositionality altogether, since the 
predicates are now propositional by definition. However, it introduces a different 
issue: inU, and inU~, give rise to equational constraints on their indices, in the 
form of proofs of the Prop-valued identity type. The definition of the eliminators 
for inU and inU~ relies on the ability to transport along these proofs, hence the 
need to extend our metatheory with a primitive, strong form of transport for 
Id.10 

Having Prop and a strong transport principle does help to some extent. 
However, we would still need extensionality to derive the general eliminators for 
inU and inU~. In fact, as explained in the previous section, to derive the general 
recursive-recursive eliminators we need to prove that the corresponding graph 
relations are functional, which cannot be done without funext. 

Luckily, the simple elimination principle is sufficient for our purposes: all 
functions described in Section 4.3 can be defined just using the simple elimina- 
tor without recursion-recursion. The simple eliminator itself can be defined by 
pattern matching on the untyped codes, and does not require extensionality or 
any extra principles beyond strong transport. 

Once the inductive encoding of the inductive-inductive universe is done, the 
setoid universe can be defined just as in Section 4.3. 


10 Note that this issue cannot be solved by expressing the equational constraints with 
an identity type in Type, since the well-typing predicates force it to necessarily be 
in Prop. 
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5 Conclusions and further work 


We have described the construction of a universe of setoids in the setoid model 
of type theory; this is given in several steps, first as an inductive-recursive defini- 
tion, then as an inductive-inductive definition, and finally as an inductive type. 
Every encoding is obtained from the previous by adapting known data type 
transformation methods in a novel way that accounts for the peculiarities of our 
construction. In [5] we present rules for SetTT, clearly these rules need to be 
extended by the rules for a universe reflecting the semantics presented here. 

It is known that finitary IITs can be reduced to inductive types in an exten- 
sional setting [21]. In our paper we reduce an infinitary IIT to inductive types 
in an intensional setting. In the future, we would like to investigate whether this 
reduction can be generalised to arbitrary infinitary IITs. 

In contrast to the inductive-recursive and inductive-inductive versions of the 
universe, the inductive definition relies on a metatheory with a strong transport 
rule. As future work, we would like to prove normalization for this metatheory 
since previous work in this respect [2] seems to suggest that is represents a 
non-trivial addition. 

Another question regards the relationship between SeTT [5] and XTT [28]. 
Both systems are syntactic representations of the setoid model with similar de- 
sign choices, like definitional proof-irrelevance. We would like to know whether 
their respective notions of models are equivalent, that is, if we can obtain an 
XTT model from a SeTT model, and vice versa. Since XTT universes support 
universe induction, for one direction we would need to extend our own universe 
with the same principle (see discussion in Section 3 and the previous paragraph). 
Thus a related question is whether our encodings of the setoid universe can sup- 
port universe induction. A further question is whether this mapping of models 
is functorial. 

Groupoids can be regarded as generalized setoids. In the future we would 
like to design a type theory internalizing the groupoid model of type theory [20], 
in the same way that SeTT represents a syntax for the setoid model. A further 
question is whether such “groupoid type theory” can be justified, similarly to 
SeTT, via a syntactic translation, perhaps with SeTT itself as the target theory. 
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Abstract. We define nominal equational problems of the form SWVY : P, 
where P consists of conjunctions and disjunctions of equations s Xa t, 
freshness constraints a#t and their negations: s %, t and at, where a is 
an atom and s,t nominal terms. We give a general definition of solution 
and a set of simplification rules to compute solutions in the nominal 
ground term algebra. For the latter, we define notions of solved form from 
which solutions can be easily extracted and show that the simplification 
rules are sound, preserving, and complete. With a particular strategy for 
rule application, the simplification process terminates and thus specifies an 
algorithm to solve nominal equational problems. These results generalise 
previous results obtained by Comon and Lescanne for first-order languages 
to languages with binding operators. In particular, we show that the 
problem of deciding the validity of a first-order equational formula in 
a language with binding operators (i.e., validity modulo a-equality) is 
decidable. 


Keywords: Nominal syntax - Unification - Disunification. 


1 Introduction 


Nominal unification [23] is the problem of solving equations modulo a-equivalence. 
A solution consists of a substitution and a freshness context V, i.e., a set of 
primitive constraints of the form a#X (read: “a is fresh for X”), which intuitively 
means that a cannot occur free in the instances of X. Nominal unification is 
decidable and unitary [23], and efficient algorithms exist [5,17], which can be 
used to solve problems of the form 4X (A A; F si Sa ti), where s;, t; are nominal 
terms with variables X and A, is a freshness context. 
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03/2020. Fourth author supported by NWO TOP project “Implicit Complexity 
through Higher Order Rewriting” (ICHOR), NWO 612.001.803/7571. 

© The Author(s) 2021 


S. Kiefer and C. Tasson (Eds.): FOSSACS 2021, LNCS 12650, pp. 22-41, 2021. 
https: / /doi.org/10.1007/978-3-030-71995-1_2 


Nominal Equational Problems 23 


Similarly, nominal disunification is the problem of solving disequations i.e., 
negated equations of the form s Æa t. An algorithm to solve nominal constraint 
problems of the form 


X((N4: F si Za ti) A (AV; F pj Be i) 


is available [1], which finds solutions in the nominal term algebra 7 (X, A, X) by 
constructing suitable representation of the witnesses for the variables in P. 

Comon and Lescanne [10] investigated a more general version of this problem, 
called equational problem, in their words: “an equational problem is any first- 
order formula whose only predicate symbol is =”, that is, it has the form 
dwy,..-,WnVy1,---,Ym : P where P is a system, i.e., an equation s = t, or a 
disequation s Æ t, or a disjunction of systems V P;, or a conjunction of systems 
/\ Pi, or a failure L, or success T. The study of such problems was motivated by 
applications in pattern-matching for functional languages, sufficient completeness 
for term rewriting systems, negation in logic programming languages, etc. 

In order to extend these applications to languages that offer support for 
binders and a-equivalence following the nominal approach, such as aProlog [6], 
aKanren [4], aLeanTAP [20], to nominal rewriting [14] and nominal (universal) 
algebra [15], in this paper we consider nominal equational problems. 

Based on Comon and Lescanne’s work, the nominal extension of a first-order 
equational problem is a formula P ::= 4JW,...W,VY,...Y¥m: P where P isa 
nominal system, i.e., a formula consisting of conjunctions and disjunctions of 
freshness, equality constraints, and their negations. 


Pis 


Contributions. This paper introduces nominal equational problems (NEPs) and 
presents simplification rules to find solutions in the ground nominal algebra. The 
simplification rules are shown to be terminating (by using a measure that strictly 
decreases with each rule application), and also sound and solution-preserving. 
The simplification process for NEPs is more challenging than in the syntactic 
case because it deals with two predicates (+, and #) and needs to consider 
the interaction between freshness and a-equality constraints, and quantifiers. 
The elimination of universal quantifiers requires careful analysis since universal 
variables may occur in freshness constraints and in their negations. To make the 
process more manageable, we define a set of rules together with a strategy of 
application (specified by rule conditions) that simplifies the termination proof. 

Finally, we show that the irreducible forms are either L or problems from 
which a solution can be easily extracted. In particular, if the NEP consists only of 
existentially quantified conjunctions of freshness and a-equality constraints, we 
obtain solved forms consisting of a substitution and a freshness context, as in 
the standard nominal unification algorithm [23]. 


Related Work. Comon and Lescanne [10] introduced first-order equational prob- 
lems and studied their solutions in the algebra of rational trees, the initial term 
algebra, and the ground term algebra. A restricted version of equational prob- 
lems, called disunification problems, which do not contain quantified variables, 
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has been extensively studied in the first-order framework [8,3,11,2,22]. More 
recently, a nominal approach to disunification problems was proposed by Ayala 
et.al [1], including only conjunctions of equations and disequations and freshness 
constraints, without quantified variables. Here we generalise this previous work 
to deal with general formulas including disjunction, conjunction and negation of 
equations and freshness constraints, as well as existential and universal quantifica- 
tion over variables. To deal with negation of freshness, disjunctive formulas, and 
quantification we extend the semantic interpretation and design a different set of 
simplification rules as well as a more elaborated strategy for rule application. 

Extensions of first-order equational problems modulo equational theories have 
also been considered. Although the problem of solving disequations modulo an 
equational theory is not even semi-decidable in general (as shown by Comon [7}), 
there are useful decidable and semi-decidable cases. For example, solvability of 
complement problems (a sub-class of equational problems) is decidable modulo 
theories with permutative operators (which include commutative theories) [9,13], 
and for linear complement problems solvability modulo associativity and commu- 
tativity is also decidable [16,19,12]. Buntine and Biirckert [3] solve systems of 
equations and disequations in equational theories with a finitary unification type. 
Fernández [11] shows that E-disunification is semi-decidable when the theory 
E is presented by a ground convergent rewrite system, and gives a sound and 
complete £-disunification procedure based on narrowing. Baader and Schulz [2] 
show that solvability of disunification problems in the free algebra of the combined 
theory FE, U... U E, is decidable if solvability of disunification problems with 
linear constant restrictions in the free algebras of the theories E;(1 < i < n) 
is decidable. Lugiez [18] introduces higher-order disunification problems and 
gives some decidable cases for which equational problems can be extended to 
higher-order systems. 


Organisation. Section 2 recalls the main concepts of nominal syntax and semantics. 
Section 3 introduces nominal equational problems and a notion of solution for 
such problems. Section 4 presents a rule-based procedure for solving NEPs, as 
well as soundness, preservation of solutions, and termination results. Section 5 
shows that the simplification rules reach solved forms from which solutions can 
be easily extracted. Section 6 concludes and discusses future work. 


2 Background 


We assume the reader is familiar with nominal techniques and recall some concepts 
and notations that shall be used in the paper; for more details, see [14,21,23]. 


Nominal Terms. We fix countable infinite pairwise disjoint sets of atoms A = 
{a,b,c,...} and variables X = {X,Y,Z,...}. Atoms follow the permutative con- 
vention: names a, b range permutatively over A. Therefore, they represent different 
objects. Let X be a finite set of term-formers disjoint from A and X such that 
for each f € X, a unique non-negative integer n (the arity of f, written as f : n) 
is assigned. We assume there is at least one f : n such that n > 0. 
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A permutation 7 is a bijection A — A with finite domain, i.e., the set 
dom(7) := {a € A | z(a) # a} is finite. We shall represent permutations as 
lists of swappings m = (a1 bı)(a2 b2)... (an bn). The identity permutation is 
denoted by id and 7 0 7’ the composition of m and x’. The set P of all such 
permutations together with the composition operation form a group (P,o) and 
it will be denoted simply by P. The difference set of m and y is defined by 
ds(r,7) = {a € A | z(a) # y(a)}. 


Definition 1 (Nominal Terms). The set T(X, A,X) of Nominal Terms, or 
just terms for short, is inductively defined by the following grammar: 


s,t,u::=a|r: X ]|[alt]| f(ti,.-.,tn), 


where a is an atom, 7-X is a moderated variable, [alt is the abstraction of a in 
the term t, and f(ti,...,tn) is a function application with f € X and f:n. A 
term is ground if it does not contain variables. 


In an abstraction [a]t, t is the scope of the binder [|] and it binds all free 
occurrences of a in t. An occurrence of an atom in a term is free if it is not 
under the scope of a binder. Notice that syntactical equality is not modulo 
a-equivalence; for example, [a]a 4 [b]b. We may denote s = t by s = t with the 
same intended meaning and ¢ abbreviates an ordered sequence t1, ... , tn of terms. 


Example 1. Let X, := {lam : 1,app: 2} be a signature for the A-calculus. Using 
atoms to represent variables, A-expressions are generated by the grammar: 


e:=a|1lam/([ale) | app(e, e) 


As usual, we sugar app(s,t) to st and lam({a]s) to A[a|s. The following are 
examples of nominal terms: (A[a]a) X and (A[a](A[b]ba) oc) d. 


We inductively extend the action of a permutation m to a term t, denoted as 
T-t, by setting: m -a = T(a), n - (a+ X) = (non): X,- (lalt) = [r(a)| (7 - t), 
and T- f(é) = f(m- t). 

Substitutions, ranging over o,7,T..., are maps (with finite domain) from 
variables to terms. The action of a substitution o on a term t, denoted to, 
is inductively defined by: ao = a, (nr : X)o = 7 - (Xo), ([alt)o = [a](to) and 
f(ti,..-,tn)o = f(tig,..., tno). Notice that t(oy) = (to)y. 


Definition 2 (Positions and subterms). Let s be a nominal term. The set 
Pos(s) of positions in s is a set of strings over positive integers defined inductively 
below. Additionally, s|, denotes the subterm of s at position p and s(p) denotes 
the symbol at position p. 


— Ifs=aors=T7-X, then Pos(s) = {e} and s|. = s; 

if s = [alt then Pos(s) = {e} U{1-p| p E Pos(t)}, s|. = and s|i.p =t|p; 

— if s = f(81,...,8n) then Pos(s) = {e}UU; {i-p | p € Pos(s;)}, s|e = s and 
slep => silp- 
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Freshness and a-equality. A nominal equation is the symbol T or an expression 
S Xa t where s and t are nominal terms. A trivial equation is either s %a s or 
T. Freshness constraints have the form a#t where a is an atom and t a term. 
A freshness contest is a finite set of primitive freshness constraints of the form 
a#X, we use A, V, and I’ to denote them. We extend the notation to sets of 
atoms: A#X denotes that a#X for every a € A. 

a-derivability is given by the deduction rules in Figure 1, which define an 
equational theory called CORE. 


_ (4A nw (a)#x EV —______— (#-abs- 
V F a#b (ax) =e (#-var) V F- a#[alt (abea) 
+ a#t H a#t wh . 
pi a# TAN V H a#tı VE a#t i 
a#lb]t VE a#f(ti,...tn) 
——— (ax) ds(7, 7 )#X EV VEtat bs- 
Vi aka a JEn Xna. x O) YF lajt ma ae CA 
VEtZa lad) t Vi a#t’ Vit eat, = Vi tn Rath 


VE [alt Xa [a'|t’ ake aoe (eee S 


Fig. 1. CORE freshness and a-equality rules. 


— Write V F a#t when there exists a derivation of V F a#t. 
The judgement V F a#t intuitively means that using freshness constraints 
from V as assumptions a does not occur free in t. 

— Write V F s %a t when there exists a derivation of V F s Xa t. 
The judgement V F s %a t intuitively means that using freshness con- 
straints from V as assumptions s is a-equivalent to t. 


Semantic Notions. Nominal equational theory has a natural semantic denotation 
in nominal sets since we can easily interpret freshness and abstraction. 

A P-set X is an ordinary set equipped with an action in P x X > X (written 
as 7-2) such that id -x = x and 7 (m - x) = (mon) x. A set of atoms ACA 
supports x € X iff for all permutations m € P fixing every element of A - acts 
trivially on x via 7, i.e., if t(a) = a for all a € A then 7: x = x. Semantic 
freshness is defined in terms of support as follows: an atom a is fresh for x € X 
iff a ¢ supp(x). We denote this by writing a#senz. A nominal set is a P-set such 
that every element is finitely supported. 

To build an algebraic ground term-model of CORE, we fix the set G consisting 
of equivalence classes of provable a-equivalent ground terms. More precisely, given 
a ground term g, the class g is the set of ground terms g’ for which there exist a 
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derivation H g %a g’. Note that G is a nominal set by defining the natural action: 
t-J =7-g. Each function symbol f € X is interpreted by an equivariant function 
J? mapping (t, ... tn) > f(ti,...,tn) and abstractions [a]t are interpreted by 
an equivariant function []_ in A x G— G such that a#sem[alg always. 
Signature interpretation is homomorphically extended to the set of terms 
as follows: Fix a valuation function ¢ that assigns to every variable X € X an 
element of G. The interpretation of a term t under ç, [#]., is defined as: 


ll] =a@ [a XJ =r sX) [ale], = [al], 
[f(t, tee stn) ]. =f? (fth powi ltal.) 


Definition 3 (Validity under ç). Let A be any infinite subalgebra of CORE 
with domain A and ç a valuation function assigning for every variable X € X an 
element of A. We say that: 


1. [aft]. (resp. [t ~a ul.) is valid if asem [t]; (resp. lt]; = [ul .)- 

2. [V], is valid when a#sems(X) for each a#X € V. 

3. [V F a#t], is valid when the validity of [V], implies asem |t], and 
4. [VF t xa u], is valid when the validity of [V], implies ft]; = [ul .. 


Write V = s Xa t(resp. V H a#t) when [Vi s &q t], (resp. [V F aft] .) is 


valid for any valuation ¢. 


A model of a nominal theory is an interpretation that validates all of its 
axiomatic judgements V F s %a t. It is easy to see that the interpretation we 
define above is a model of CORE. For the rest of the paper, we slightly abuse 
notation by calling CORE both the theory and its model making distinctions 
when necessary. 


Remark 1. It is worth noticing the syntactic character of CORE: by interpreting 
atoms as themselves and since there are no equational axioms, we easily connect 
V H a#t and V F a#t. This behaviour is not the rule if equational axioms are 
considered. For instance, consider the theory LAM that axiomatises G-equality in 
the A-calculus. It is a fact that a#sem(A[a]b)a in LAM but there is no syntactic 
derivation for a#(A[a]b)a. Furthermore, by completeness for equality derivation, 
we establish a connection between V = s Xa t and Vi s %a t. 


There are alternative definitions of nominal terms where the syntax is many- 
sorted. We chose to work with an unsorted syntax for simplicity; all the results 
below can be extended to the many-sorted case, indeed they are proved for any 
infinite subalgebra of the ground nominal algebra. 


3 Nominal Equational Problems 


In this section, we introduce nominal equational problems (NEPs) as our main 
object of study. A NEP is a fist-order formula built only with the predicates ~a 
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and #. Their negations, denoted #, and 4, are used to build disequations and 
non-freshness constraints. A trivial disequation is either s #_ s or L. 

Intuitively, a non-freshness constraint at — read a is not fresh for t — states 
that there exists at least one instance of t where a occurs free. Similarly, for 
disequations: s Æa t states that s and t are not a-equivalent. 


Definition 4. A nominal system is a formula defined by the following grammar: 
PP v= T |L | eeeat | ote t | att |t| PAP | PVP 


In the next definition, we make a distinction between the set of variables 
occurring in a NEP: the mutually disjoint sets W = {W1,..., Wn} and Y = 
{¥1,..., Ym } denote existentially and universally quantified variables, respectively. 
The former we call auziliary variables and the latter parameters. 


Definition 5 (NEP). A NEP is a formula of the form below, where P is a nominal 
system. 


Ps:=IdW,...W,VY,...¥m:P 


The set Fv(P) contains the free variables occurring in P. For the rest of the 
paper, we use the following implicit naming scheme for variables: W denotes an 
auxiliary variable, Y a parameter, X a free variable, and Z an arbitrary variable. 


Example 2. Nominal disunification constraints [1] are pairs of the form P := 


IW (E || D), where E is a finite set of nominal equations-in-context, i.e., E = 
n 


U{Ai F si Xa ti} and D is a finite set of nominal disequations-in-context, 
i=0 
m 
D= U{V;' uj Æa vj}. This problem is a particular NEP: taking the judgement 
j=0 
At sZ%a tas A> s a t, or yet as AAV s Xa tt, we obtain the formula: 


n 


P := (NOIA: V si %a ti)) A (A CIV] V uj a 05), 
j=0 


i=0 
where [4;], [V;] are conjunctions of freshness constraints in A;, Vj, respectively. 


Sufficient completeness, that is, deciding whether a set of pattern (rules) 
covers all possible cases, is a well-known problem in functional programming. In 
the next example, we show how to naturally represent such problems as NEPs. 


Example 3. Consider the function map which applies a function [a] F to every 
element of any list L. It may be defined by the rules below: 


Ro = - map([a]F, nil) — nil 
mae | map({a] F, cons(X, L)) > cons(F{a 4 X},map({a] F, L)), 


4 Similarly, for disequations. 
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where {a +> _} is a binary term-former representing (explicit) substitutions; 
see [14, Example 43] for more details. Since we are not imposing a type disci- 
pline on nominal terms it is possible to construct ill-typed terms, for instance 
map(a, [a|t). In what follows we ignore those expressions by noticing that a type 
discipline will not allow such constructions. Then sufficient completeness can be 
checked using the following NEP: 


VY Y2Y3L' : map([a]F, L) a map([b]¥1, nil)A 
map((a]F, L) Ža map([b]Y2, cons(Y3, L’)), 


If the problem has a solution then Rmap is not complete, and the solution 
indicates the missing pattern cases in the definition. 


Solutions of Nominal Equational Problems. We are interested in solutions for NEPs 
in the ground nominal algebra. From now on, A denotes an infinite subalgebra of 
CORE with domain A. Below we define solutions using idempotent substitutions, 
which can be seen as a representation for valuations that map variables to 
elements of the ground term algebra. 

We first extend the interpretation function under a valuation ç [-]. (see 
Section 2) to the negated form of freshness and a-equality constraints. 


Definition 6. Let ¢ be a (fixed but arbitrarily given) valuation. A negative 
constraint at (resp. s Æa t) is valid under ç when: 


— it is not the case that a¥#sem |t], this is written [at]; and, respectively, 
— it is not the case that [s], = [t],, this is written [s #o t].. 


In standard unification algorithms, idempotent substitutions are used as a 
compact representation of a set of valuations in the ground term algebra. Similarly, 
given a valuation in the ground term algebra, one can build a ground substitution 
representing it. In the case of the ground nominal algebra, where elements are 
a-equivalence classes of terms, the representative is generally not unique, but 
any representative can be used. 


Definition 7. Given a substitution o = [X1/ti,...,Xn/tn], for any valuation 
S, we denote by <” the valuation such that <° (X) = s(X) if X ¢ dom(c), and 
6°(X) = [Xo], otherwise. 

Given a valuation ç = |X; > gi | X; € X,g; € Al, and a finite set X of 
variables, we denote by o% any ground substitution such that for each Xi E X, 
o(Xi) = ti, if gi = [ti]. We say that o% is a grounding substitution for X. 


The next lemma states that under mild conditions we can extend substitutions 
to valuations preserving semantic equality. 


Lemma 1. Given an idempotent substitution o = [Xy/ti,...,Xn/tn] and a 
valuation ç we have: [so]. = [s].-- 


The next definition allows us to use idempotent substitutions to represent 
solutions of constraints. 
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Definition 8 (Constraint A-validation). Let o be an idempotent substitution 
whose domain includes all the variables occurring in a constraint C. Then o 
A-validates C iff [C]... is valid in A for any valuation ¢. 


We now extend semantic validity to the syntax of systems. The interpretation 
for the logical connectives is defined as expected. 


Definition 9 (A-validation). For an idempotent substitution o whose domain 
includes all variables occurring in a system P, we say that o A-validates P iff 


i P= sor 

2. P= C and o A-validates C; or 

3. P= P^... A^ Pn and o A-validates each P;, 1 <i <n; or 

4. P= Pi V...V Pm and o A-validates at least one P, 1<i< m. 


Solutions of equational problems instantiate free variables and satisfy existen- 
tial and universal requirements for auxiliary variables and parameters, respectively. 
To define this notion, we extend the domain of the substitution to include also 
existential and universally quantified variables as follows. 


Definition 10 (A-Solution). Let P = 3WVWY : P be a NEP. Let o be an 
idempotent substitution such that dom(o) = Fu(P). Then o is an A-solution of P 
iff there is a ground substitution ô, where dom(5) = W, such that for all ground 
substitution A, where dom(A) = Y, oà A-validates P. The set of A-solutions of 
P is denoted SA(P), or simply S(P) if A is clear from the context. 


Example 4. Consider the signature Xnat := {zero : 0, suc : 1} for natural numbers, 
and the nominal initial algebra Anat with zero and suc interpreted as expected. 
The problem P := IWVY : W %Æa suc(Y) has id as solution. Indeed, taking for 
example 6 = [W/zero] or 6 = [W/a] and any choice of A (dom(\) = {Y }), the 
composition idd\ A-validates W %a suc(Y). 


In Definition 10, 6 is the substitution that instantiates auxiliary variables, so 
there can be many (possibly infinite) number of such 0’s. 


Lemma 2 (Equivariance of Solutions). If o is an A-solution of the NEP 
P then for any permutation 7, n -o (defined by [X;/7- ti], as expected) is an 
A-solution of r- P. In particular, if an A-solution contains an atom not occurring 
in P, that atom can be swapped for any other atom not occurring in P. 


Lemma 2 is a direct consequence of the fact that interpretations are equiv- 
ariant, and shows that solutions are closed by permutation. It allows us to use 
permutations to represent infinite choices for atoms in solutions. 


Example 5. Consider the problem VY : X Æa A[a]Y, built over the signature of 
Example 1. The set of solutions contains o = [X/a] as well as (a b)-[X/a] = [X/b]; 
for any other atom b. 
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Lemma 3 (Closure by Instantiation). If o is an A-solution of the NEP 
P =AWVY : P then any idempotent substitution o' obtained as an instance of 
a such that dom(o’) = dom(c) is also an A-solution of P. In particular, for any 
such ground instance o’ of o there is a ground substitution 6, where dom(d) = W, 
such that for all ground substitution A, where dom(A) = Y, 0/5 A-validates P. 


Proof. By definition of A-solution, to show that o’ is an A-solution of P we need 
to consider all the valuations of the form ¢?° as indicated in Definitions 8, 9, 
10. The result follows from the fact that for any valuation <7 there exists an 
equivalent valuation </”°* by Lemma 1. 


4 A rule-based procedure 


In this section we present a set of simplification rules to solve NEPs. A simplification 
step, denoted P => P’, transforms P into an equivalent problem P’ from which 
solutions are easier to extract. 


4.1 Simplification Rules 


Rules may have application conditions (rule controls) that define a strategy of 
simplification. Our strategy gives priority to rules according to their role. We 
split the rules into groups R; as shown in Figures 2, 3 and 4: Rı eliminates 
trivial constraints, Rə deals with clash and occurs check, R3 eliminates unneeded 
quantifiers, R4 and R5 decompose positive and negative constraints, respectively, 
Re eliminates parameters and R7 instantiates variables. The Explosion and 
Elimination of Disjunction rules in Rg search for solutions as explained below. 
Finally, Ro eliminates the remaining universal quantifiers. A rule R € R; can 
only be applied if no rules from R;, where j < i, can be applied. 

Since we are dealing with formulas that contain disjunction and conjunction 
connectives, we need to take into account the standard Boolean axioms. To 
simplify, instead of working modulo the Boolean axioms we apply a Boolean 
normalisation step before a rule is applied. Following Comon and Lescanne [10], 
we choose to take conjunctive normal form: Before the application of each rule 
P is reduced to a conjunction of disjunctions. 

The explosion rule creates new branches by instantiating variables considering 
all possible ways of constructing terms (i.e., each f € X, abstractions and atoms). 
Note that X U Atoms(P) U {a’} is a finite set (we can represent all possible 
constructions with a finite number of cases), so the rule is finitely branching. 

The rule Elimination of Disjunctions also builds a finite number of branches. 
Therefore, our procedure builds a finitely branching tree of problems to be solved. 

Rules Rı-Rs are not sufficient to eliminate all parameters from a NEP (see 
Example 6) in contrast with the syntactic case [7], where similar rules produce 
parameterless normal forms. This is because we are dealing with both freshness 
and a-equality. Indeed, normal forms for rules R1-Rg may contain parameters, 
but only in disjunctions involving both freshness and equality constraints for the 
same parameter as the following lemma states. The rules in Rg (Figure 4) are 
introduced to deal with this problem. 
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R 1: Trivial Rules 


Ti) t®at==—T (fh) tZat= L (T3) a %a b= L 
T4) afb = T (T;) a#a => L (Te) aka => T 
Tz) ab => L (Ts) a#t ^at => Ll (To) a#tV at => T 
Rə: Clash and Occurrence Check Rules 
Cli) s Za t => T (CL2) 5 Xa t = L 
Conditions for (CL) and (CL2): s(€) # t(€) and neither is a moderated variable. 
O1) T-Z %at = Ll (O2) n: Z Ža t = T 


Conditions for (O1) and (O2): Z € vars(t) and t m- Z 


Rg: Elimination of parameters and auxiliary unknowns. 
(C1) YY,Y : P = YY : P, Y ¢ vars(P) 
(C2) IW, W : P => IW : P, W ¢ vars(P) 
(C3) IW,W:n-Weat\ P => IW : P, W ¢ vars(P,t) 


Ra: Equality and freshness simplification 

(E1) T-X xay: X= ^ds(t, V) #X (Fi) afta X = 7 (a)#X, T Żid 
(E2) [a]t Xa [a]u = t ~a u (Fo) a#ļa]lt => T 

(E3) [alt Xa [blu = > (ba) -t %a u Ab#t (F3) a#[b]t => a#t 

(Ea) f(t) Sa f(t) = Nti Sa u (Fa) ape f(y tn) = Aap 


Rs: Disunification 


(DC) f(t) Za f(@) = Viti Za ui (NF) ar- X = 17 (a)}¥X, r Æ id 
(Dı) nm- X ay: X= Vids(t, y) X (NF) aļa]t = L 

(D2) [alt Za [aju => t Ža u (NF) afb]t => a¥t 

(Ds) [alt Æa [bju = (b a) -t Ha u V Xt (NF4) af (È) => Viat: 


Re: Simplification of Parameters 


(U1) YY, Y : PAT- Y at= Lif Y g vars(t) 

(Uz) VY : PA (T-Y Za tV Q) = YY : PAQ|Y/t™ .- t], if Y ¢ vars(t), Y €Y 
(Us) YY, Y : PATY Sat = 1, iir- Y#t 
(Us) YY : PA (m1: Zi Xa th VeV Tn: Zn Za tn VQ) => VY: PAQ 
(Us) 
( 


VY,Y:PAa#Y = L 
Us) VY, Y : P AaY => L 
Conditions for (U4): 


— Each equation in the disjunction contains at least one occurrence of a parameter 
and mi- Zi É ti for each i = 1,...,n. 
— Q does not contain any parameter. 


R7: Instantiation Rules 


(D) T: Z Xa tA P = Z xan! -tA P|Z/t™. t] 


— If mr = id then Z is not a parameter and Z occurs in P and if t is a variable then 
t occurs in P. 
— If m Æ id, then t is not of the form id- Z’. 


(2) T- Z Za tV P = Z ža T -tV P|Z/t™. t] 


— If m = id then Z occurs in P and if t is a variable then t occurs in P. 
— If m Æ id then t is not of the form id- Z’. 


Fig. 2. Preserving Rules 
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Rs: Explosion and Elimination of Disjunction 


(ED1) YY : PA (Pi V Ps) => YY : PA P., if vars(P:) NY = f or vars(Po) NY = 0. 


(ED2) VY¥i, Y2 : P A (Pi V Po) = VN, Y2 : PA Pi, if vars( P1) O Yo = and 
vars(P2)N Yi = 0 


(Exp) IWVY : P => AW'AWVY : PAX Rat, for t= f(W’) or t= [a] W" ort=a 


Conditions for (Exp): 


1. X is a free or existential variable occurring in P, W’ are newly chosen auxiliary 
variables not occurring anywhere in the problem; 

2. f € X and a € Atoms(P) U {a’}, where a’ is a new atom; 

3. there exists an equation X %a u (or disequation X Æa u) in P such that u is not a 
variable and contains at least one parameter; and 

4. no other rule can be applied. 


Fig. 3. Globally Preserving Rules 


Example 6. Both P = a#Yı VY Xa f(Yı1) and P = a#Y, V aY V Yı ~a f(Y) 
are irreducible: neither (U4) nor (ED ) apply since all the disjuncts contain 
parameters; (E D2) does not apply since each constraint has a parameter that 
occurs in another constraint; (Exp) does not apply because there is no equation 
or disequation with a free or existentially quantified variable in one side. 


The following lemma characterises the irreducible disjunctions with respect 
to rules R1-Rg where parameters may remain. 


Lemma 4. Let P be a disjunction of constraints irreducible w.r.t. Ri-Rg. For 
each parameter Y such that P = a#Y V Q (resp. P = aY V Q), for some atom 
a, the following holds: 


1. aXY (resp. a#Y ) cannot occur in Q; 

2. Y has to occur in Q; 

3. if Q contains an equational constraint then it has the form Y Xa t, where 
Y ¢ vars(t), or Y' Xa t, with Y € vars(t); 

4. Q does not contain disequations or primitive freshness constraints for free or 
existentially quantified variables. 


Proof. In an irreducible disjunction of constraints at least one of the sides 
of equations (or disequations) is a variable, otherwise we could simplify the 
equation /disequation. 

Condition 1. It holds, otherwise we could apply (T9). Condition 2. It holds, 
otherwise we could apply (E£D2). 

Condition 3. If Q had an equation of the form X %a t, for some free or 
existentially quantified variable, then t could not contain a parameter, otherwise 
we could apply rule (Exp). Therefore, t = t[Z,,...,Z,], for n > 0 where each Z; 
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Rg: Simplification of parameters in freshness constraints 


(Ur) VY, Y : PA (a#YVQ) = L 
if Ri-Rsg do not apply (so Q does not contain aẹY) and Y € vars(Q). 
(Us) VY,Y : PA (a&YVQ) = L 
if Ri-Rsg do not apply (so Q does not contain a#Y) and Y € vars(Q). 


Fig. 4. Preserving Rules for (non)freshness constraints with parameters. 


is either a free or existentially quantified variable, and one could apply rule EDI. 
Thus, if an equation exists, one of the sides has to be a parameter, say Y ~a t, 
and Y cannot occur in t otherwise rule O> applies. 

Condition 4. If Q were to contain a disequation, say X Æa t then t could 
not contain a parameter, otherwise we could apply (Exp) as above, but then we 
could apply rule (ED1). Therefore, if Q were to contain a disequation, it would 
be of the form Y #%, t, then it would either reduce with (O2) or with (U2). Thus, 
Q does not contain disequations. Similary, if Q contained a primitive freshness 
constraint for a free or existentially quantified variable then (ED) would apply. 


The remaining disjunctions with parameters can be simplified using the rules 
in Rg, since they will not produce solutions (as shown in Theorem 1). 
We end this section with an example of application of the simplification rules. 


Example 7. Let P be a NEP, using the signature from Example 1, as follows: 


P=VY : Nal X Za AalAlalY ZS VY : [a] X Za [a]Ala]Y 23 VY : X Za Ala]Y 


Rules in R4-R7 cannot be applied and the explosion rule produces six problems: 


Pi =SWWY : X Ža Aļla]Y AX Ra AW1 Pa = AWVY : X a la] Y AX = [bW 
Po = IW1, WY : X Ža [a]Y A X =WiWe2 Ps = IWYY : X Ža [a]Y AX =a 
P3 = IWYY : X Za [a]Y ^ X =[a]W Pe = VY : X ta [a]Y A X =b 


Reducing the first problem we get: 
P, Æ IW1VY : AW Ža Ala] Y A X Xa AW 
Wi YY : Wy Æa [a] Y AX %a AW: 
WiW2VY : Wi Æa la]Y AX Xa AW1 A Wi Ra AW2 
=> JW W2VY : AW2 Ža [a]Y AX Ra AW1 A Wi Xa AW2 
W: 


WaVY : X Xa AW1 A Wi Ra AW2 


=> AWW: X Ra AAW2 A Wi Sa AW2. 


At this point Pı has reached a normal form without any parameter. Solutions of Pı can 
be easily obtained by taking any instance of X of the form AAt. It is easy to check that 
this choice indeed generates solutions of P. Similar reductions apply to Pi, 2 < i < 6. 
As we will see in the next section, application of such simplification rules is 
well-behaved in the sense that we do not loose any solution along the way. 
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4.2  Soundness and Preservation of Solutions 


The next step is to ensure that the application of rules does not change the set 
of solutions of an equational problem. 


Definition 11 (Soundness and preservation of solution). Let A be any 
infinite subalgebra of CORE. 


1. A rule R is A-sound if, P = pr P’ implies S(P') C S(P). 
2. A rule R is A-preserving if, P =>p P’ implies S(P) 
3. A rule R is A-globally preserving if given any problem P, 


S(P) C U S(Pi). 
P >r: Pi 
supp(7) N Atoms(P) = 0 


All our rules, except those in Rg, are sound and preserving (Theorem 1). 
The rules in Rg create branches in the derivation tree; they are sound and only 
globally preserving (Theorem 2). 


Theorem 1. The rules in Ry to Ry and the rules in Rg are A-sound and 
A-preserving for any infinite subalgebra A of CORE. 


Proof. Rules in Ri, R2, and R3 : soundness and preservation of solutions are 
easy to deduce. For instance, for clash rules, (CL,) and (CL2), it follows by 
inspection of deduction rules that the judgement F sy %a ty is not derivable 
for any valuation ¢ and corresponding grounding substitution y = O os (s,t) (see 
Definition 7) if the root constructors of s and t are different (hence every y is 
a solution for the disequation). For (C3) observe that we can take [W/t] as a 
witness for W on a validation for IW : P, if W ¢ vars(P,t). 

Rules in R4 and Rs. It follows from soundness and preservation of simplification 
rules in [14]. We use the fact that nominal equality and freshness rules from Fig. 
1 are reversible; for instance, let y be a grounding substitution, a judgement 
H f(8)y Xa f(ŭ)y fails, which makes f(5)y Æa f(ŭ)y valid, iff one of the premises 
F siy a uiy does not hold. 

Rules in Re: The result is straightforward for rules U; and U3. 

U2. To prove soundness for Uz notice that the solution set of a conjunction 
is the intersection of the solution set of each of its members. We have to show 
that every solution of Q[Y/7! - t] is a solution of (r - Y %a t V Q). Let y bea 
solution of Q[Y/z~! -t| and take any substitution A satisfying the conditions of 
Definition 10. So (Q[Y/77! - t])yA is valid and we need to show the validity of 


(T: Y Ža thyAV QA. (1) 


For each such A there are two possible cases: First, F m- YA %a tyà (note 
that A is a ground substitution so both sides of this equation are ground); then 
we have that yA = y\'[Y/771 - tyA]. By hypothesis, yA validates Q[Y/77! - t] 
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so yX'[Y/n7! - tyA] validates Q. Second; Y 7- YA %a tyA, then yA validates 
T-Y Ža t. Hence y a solution of (1). 

To prove preservation for U2, take y a solution of VY,Y : m- Y Æa tV Q, we 
need to show that y is also a solution of VY,Y : Q[Y/x71- t]. Notice that y is a 
solution of VY,Y:7-Y #%, t or VY,Y : Q but it clearly cannot solve the first 
problem. Hence, y solves VYY, Y : Q. By Definition 10, for all substitutions \ with 
domain Y U {Y} we have that Ay validates Q. In particular, the substitution 
[Y/n - ty]\y which is equivalent to [Y/77~! - t]\y (since y is away from A) must 
also validate Q. Consequently, Ay validates (Q[Y/~1 - t]). 

U,. Soundness for this rule follows trivially. For preservation of solutions, we 
show that any solution of VY : V; Zi ~a ti V Q is a solution of VY : Q. The shape 
of the first problem induces a requirement that the disjunction V i Zi a ti does 
not have a solution. To show this we prove that the negated form AN; Zi Æa ti 
has at least one solution. Notice that such a solution is a witness for the failure 
of V; Zi a ti, since all of those equations have at least one parameter. Lemma 5 
shows that this is true. 


U; and Us. We need to show that every solution of VY,Y : P \a#Y is also 
a solution of |, i.e., no such solution exists for the lhs of the rule. In fact, the 
existence of such y would imply that (taking A = [Y/a]) a#a which is impossible. 
For Ug we do the same reasoning with A = [Y/[a]a]. 


Rules in R7. Soundness and preservation of (J1) has been proved in previous 
works, since rule (J4) is used in standard nominal unification algorithms [23]. Rule 
(Iz) is a direct adaptation of the rule used in the standard (syntactic) case, proved 
sound and preserving in [10]. Indeed, y E€ S(7- Z Æa t V P) if, and only if, for 
any grounding instance 7 of y, Y! € S(Z Æa 7+ -t) or y! € S(P) (by Lemma 3). 
Finally, notice that y € S(P)\S(Z #q 771 -t) if and only if y € S(P[Z/n~1 - t]). 
Rules in Ryg. Soundness follows trivially, since L has no solution. We show 
below that U7 is A-preserving; the proof is analogous for rule (Us). 

Let P = SWVY,Y : PA (a#Y V Q) where Q is fully reduced by R1-Rs, 
Y € vars(Q) and Q does not contain aẹY. We prove that P does not have 
solutions by induction on the number of freshness constraints in a##Y V Q. 


Base case: Q contains just equational constraints, each containing at least one 
occurrence of the parameter Y, as specified in Lemma 4. Suppose by contradiction 
that there exists an A-solution y. Thus, y is away from Y U {Y}, dom(y) = X = 
Fv(P), there is a ground substitution ô with dom(6) = W and for all A away 
from X,W, with dom(\) = Y U{Y}, yA A-validates P A (a##Y V Q). Then, it 
A-validates both P and (a#Y V Q). The latter implies that yà A-validates Q 
for every A (but then Q has a solution, which is impossible due to the form of 
the equational constraints) or Q implies aY (since there is at least one f € X 
such that f : n and n > 0, and therefore a#Y is false for an infinite number of 
ground terms YA). The latter is impossible since a#Y is defined as a ¢ supp(Y), 
which is defined as (aa’)- Y = Y for a new a’, and reduced problems cannot 
contain fixed point equations or their negations (these are simplified using rules 
(Eı) and (D1), respectively). 
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The inductive step is proved similarly, using Lemma 4 as in the base case to 
deduce that the constraints in Q cannot entail aY. 


Theorem 2. Let A be any infinite subalgebra of CORE. 


1. Rule (Exp) is A-sound and A-globally preserving. 
2. Rules (ED ) and (ED2) are A-sound and A-globally preserving. 


Lemma 5 guarantees the existence of a solution for a conjunction of non-trivial 
disequations as long as the algebra considered has sufficient ground terms. 


Lemma 5. Let P be a conjunction of non-trivial disequations. Let A be any 
infinite subalgebra of CORE. Then P has at least one solution in A. 


Proof. The proof proceeds by induction on the number of distinct variables 
occurring in P. For the base case P has no variables. Then every substitution 
solves P, since by hypothesis P does not contain any trivial disequation t %a t. 

Assume the result holds for problems with m — 1 variables. Let P be a 
conjunction of non-trivial disequations such that |vars(P)| = m and X € 
vars(P). For each disequation s Æa t € P, the equation s %a t has at most one 
solution (modulo a-renaming) when the variables distinct from X are considered 
as constants. Let S the set of such solutions for all these equations. Since A (the 
domain of A) is infinite, there exists a € A such that [X/a] ¢ S. Therefore, [X/a] 
is a solution for P. Now, consider the problem P’ = P[X/a] which has m — 1 
variables. The result follows by induction hypothesis. 


4.3 Termination 


To prove termination we define a measure function for NEPs that strictly decreases 
with each application of a rule. The measure uses the following auxiliary functions: 


Definition 12 (Auxiliary Functions). The function sizePar(t) denotes the 
sum of the sizes of the parameter positions in t: 


sizePar(t) := 5 \p;| 


p; €PosPar(t) 


where PosPar(t) = {p; | tly, = Yi for some parameter Y;}. 
Given a disjunction of equations, disequations, freshness, and negated freshness 
constraints d= C1 V...V Cn we define auxiliary functions ġı and $2 over d. 


1. ¢1(d) is the number of distinct parameters in d. 
2. ald) is the multiset {MSP(C1),...,MSP(C;,)} where MSP(C) is defined by: 
(a) MSP(C) = 0 if C is an equation or disequation and a member of C is a 
solved parameter (a parameter Y is solved in d if there exists a disequation 
Y Æa u ind and Y occurs only once in d); or if C is a primitive freshness 
or a primitive negated freshness constraint; 
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(b) otherwise, MSP(s Xa t) = MSP(s Æa t) = maa(sizePar(s),sizePar(t)) 
and MSP(a#t) = MSP (at) = sizePar/(t). 


Definition 13 (Measure). Let P = IWVY d1 ^. ..^dn be a nominal equational 
problem in conjunctive normal form. P is measured using the tuple: 


(P) = (Nu, Na, p (P), M, w2(P)), where 


1. N, is the number of free variables that are unsolved in P. A variable X is 
solved if there is an equation X ~a t and X occurs only once in P. 

2. Na ts a multiset that contains for each disjunction d; in P the number of 
variables that are not d-solved in di. 

A variable X is d-solved in d; if di = X Ža tV Q and X does not occur in Q. 

o: W(P) is the multiset {(¢1(d1), o2(d1)), EEE (d1(dn), 2(d,,))} 

4. M is the multiset {M(d,),..., M(dn)} where M(d) is the multiset of sizes of 
the constraints in d. The size of a constraint is the size of its largest member, 
or 0 if it has a solved variable or it is a primitive (negated) freshness. 

5. W(P) is the total size of P (that is, the number of function symbols, atoms, 
variables, quantifiers, conjunctions, disjunctions, T, L in P. 


Using this measure we can prove the termination of the simplification process. 


Theorem 3. The procedure defined in Section 4 for application of rules, ex- 
pressed as K := Ri R2... Rg, terminates. 


5 Nominal Equational Solved Forms 


We have shown that the simplification process terminates and each application 
of the transformation rules preserves solutions. We now characterise the normal 
forms, called solved forms. Intuitively, solved forms are simple enough that one 
can easily extract solutions from it. A first example of well-known solved form 
is that of unification solved form: a conjunction of equations X; = t; such that 
each X; occurs only once. It directly represents a solution mapping X; +> ti. 
We show in Theorem 4 existence of solutions for certain solved forms, and in 
Theorem 5 we prove that our procedure is complete with respect to solved forms. 


Definition 14 (Solved Forms). 


1. A NEP P is in parameterless solved form if it contains no universal quantifiers. 
2. A NEP is a definition with constraints if it is T, L or a conjunction of the 


form 
P = W (Àz Mo n)a (Äza s) A (Aa) 
jel 1=1 
such that: 


— each Z; occurs only once in P; 
— each Z; is syntactically different from vj; and 
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— each C; is either a positive, a#X, or negative, a&X, freshness constraint 
such that each pair a, X occurs at most once in P. 
3. A NEP is in unification solved form if it is a definition with constraints which 


does not contain negative constraints. 


Theorem 4 below shows that a problem reduced to definition with constraints 
solved form has at least one solution. 


Theorem 4. Let A be any infinite subalgebra of CORE. If P 4 L is in definition 
with constraints solved form, then it has at least one solution. 


Proof. First assume P is in unification solved form (see Definition 14). Let V 
be the context containing all constraints C; occurring in P. Furthermore, define 
the substitution ø that assigns to each free variable X; the term t;, and the 
substitution 6 mapping each existential variable Wp to tk. Then [Vod]., which 
is equivalent to [V] -s by Lemma 1, is valid in A. Consequently, 


[V F Xio Xa tio6] and [VF Wkó ~a tr]. 


are valid judgements. So, o is an A-solution of P with existential witnesses given 

by 6. In the general case, when P is in definition with constraints solved form 

containing also negative constraints, the construction is similar. We can guarantee 
m 

a solution for the disunification part of the problem, A Z; #a vj, by Lemma 5. 
j=l 

Definition 15. A set R of rules for solving nominal equational problems is 

complete w.r.t. a kind of solved forms S if for each P there exists a family of 

NEPs Q; in S-solved form such that P => s Qi and S(P) = U; S(Qi). 


The next result states that a NEP’s normal form with respect to the simpli- 
fication rules given in the previous section is a definition with constraints. In 
particular, all parameters are removed from the problem. The proof is by case 
analysis, considering all possible occurrences of parameters in a problem. 


Theorem 5 (Completeness). Let A be any infinite subalgebra of CORE. Then 
the rules in Figures 2, 8, and 4 are complete for parameterless solved forms and 
definition with constraints solved forms. 


6 Conclusion 


In this paper, we introduced nominal equational problems (NEPs) as an extension 
of standard first-order equational problems to nominal terms which, besides 
equations and disequations, includes freshness and non-freshness constraints. We 
proposed a sound and preserving rule-based algorithm to solve NEPs in the nominal 
ground algebra CORE, and showed that this algorithm is complete for two main 
types of solved forms: parameterless and definition with constraints. As future 
work, we aim to investigate the purely equational approach to nominal syntax 
via the formulation of freshness constraints using fixed-point equations with the 
U-quantifier [21], as well as the solvability of nominal equational problems in 
more complex algebras. 
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Abstract. In rendez-vous protocols an arbitrarily large number of indis- 
tinguishable finite-state agents interact in pairs. The cut-off problem asks 
if there exists a number B such that all initial configurations of the proto- 
col with at least B agents in a given initial state can reach a final config- 
uration with all agents in a given final state. In a recent paper [17], Horn 
and Sangnier prove that the cut-off problem is equivalent to the Petri net 
reachability problem for protocols with a leader, and in EXPSPACE for 
leaderless protocols. Further, for the special class of symmetric protocols 
they reduce these bounds to PSPACE and NP, respectively. The problem 
of lowering these upper bounds or finding matching lower bounds is left 
open. We show that the cut-off problem is P-complete for leaderless pro- 
tocols, NP-complete for symmetric protocols with a leader, and in NC 
for leaderless symmetric protocols, thereby solving all the problems left 
open in [17]. 


Keywords: rendez-vous protocols - cut-off problem - Petri nets 


1 Introduction 


Distributed systems are often designed for an unbounded number of participant 
agents. Therefore, they are not just one system, but an infinite family of systems, 
one for each number of agents. Parameterized verification addresses the problem 
of checking that all systems in the family satisfy a given specification. 

In many application areas, agents are indistinguishable. This is the case in 
computational biology, where cells or molecules have no identities; in some se- 
curity applications, where the agents’ identities should stay private; or in ap- 
plications where the identities can be abstracted away, like certain classes of 
multithreaded programs [15,2,31,3,18,25]. Following [3,18], we use the term repli- 
cated systems for distributed systems with indistinguishable agents. Replicated 
systems include population protocols, broadcast protocols, threshold automata, 
and many other models [15,2,11,7,16]. They also arise after applying a counter 
abstraction [28,3]. In finite-state replicated systems the global state of the sys- 
tem is determined by the function (usually called a configuration) that assigns 
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to each state the number of agents that currently occupy it. This feature makes 
many verification problems decidable [4,10]. 


Surprisingly, there is no a priori relation between the complexity of a param- 
eterized verification question (i.e., whether a given property holds for all initial 
configurations, or, equivalently, whether its negation holds for some configura- 
tion), and the complexity of its corresponding single-instance question (whether 
the property holds for a fixed initial configuration). Consider replicated systems 
where agents interact in pairs [15,17,2]. The complexity of single-instance ques- 
tions is very robust. Indeed, checking most properties, including all properties 
expressible in LTL and CTL, is PSPACE-complete [9]. On the contrary, the com- 
plexity of parameterized questions is very fragile, as exemplified by the following 
example. While the existence of a reachable configuration that populates a given 
state with at least one agent is in P, and so well below PSPACE, the existence 
of a reachable configuration that populates a given state with exactly one agent 
is as hard as the reachability problem for Petri nets, and so non-elementary [6]. 
This fragility makes the analysis of parameterized questions very interesting, but 
also much harder. 


Work on parameterized verification has concentrated on whether every ini- 
tial configuration satisfies a given property (see e.g. [15,11,3,18,7]). However, 
applications often lead to questions of the form “do all initial configurations 
in a given set satisfy the property?”, “do infinitely many initial configurations 
satisfy the property?”, or “do all but finitely many initial configurations satisfy 
the property?”. An example of the first kind is proving correctness of popula- 
tion protocols, where the specification requires that for a given partition Zo, Z1 
of the set of initial configurations, and a partition Qo, Qı of the set of states, 
runs starting from Zp eventually trap all agents within Qo, and similarly for Zı 
and Qı [12]. An example of the third kind is the existence of cut-offs; cut-off 
properties state the existence of an initial configuration such that for all larger 
initial configurations some given property holds [8,4]. A systematic study of the 
complexity of these questions is still out of reach, but first results are appearing. 
In particular, Horn and Sangnier have recently studied the complexity of the 
cut-off problem for parameterized rendez-vous networks [17]. The problem takes 
as input a network with one single initial state init and one single final state fin, 
and asks whether there exists a cut-off B such that for every number of agents 
n > B, the final configuration in which all agents are in state fin is reachable 
from the initial configuration in which all agents are in state init. 


Horn and Sangnier study two versions of the cut-off problem, for leaderless 
networks and networks with a leader. Intuitively, a leader is a distinguished agent 
with its own set of states. They show that in the presence of a leader the cut-off 
problem and the reachability problem for Petri nets problems are inter-reducible, 
which shows that the cut-off problem is in the Ackermannian complexity class 
Fo [22], and non-elementary [6]. For the leaderless case, they show that the prob- 
lem is in EXPSPACE. Further, they also consider the special case of symmetric 
networks, for which they obtain better upper bounds: PSPACE for the case of a 
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Horn and Sangnier Asymmetric rendez-vous |Symmetric rendez-vous 
Presence of a leader Decidable, non-elementary PSPACE 
Absence of a leader EXPSPACE NP 

This paper Asymmetric rendez-vous |Symmetric rendez-vous 
Presence of a leader Decidable, non-elementary NP-complete 
Absence of a leader P-complete NC 


Table 1. Summary of the results by Horn and Sangnier and the results of this paper. 


leader, and NP in the leaderless case. These results are summarized at the top 
of Table 1. 

In [17] the question of improving the upper bounds or finding matching lower 
bounds is left open. In this paper we close it with a surprising answer: All 
elementary upper bounds of [17] can be dramatically improved. In particular, 
our main result shows that the EXPSPACE bound for the leaderless case can be 
brought down to P. Further, the PSPACE and NP bounds of the symmetric case 
can be lowered to NP and NC, respectively, as shown at the bottom of Table 1. 
We also obtain matching lower bounds. Finally, we provide almost tight upper 
bounds for the size of the cut-off B; more precisely, we show that if B exists, 
then B € 27° 

Our results follow from two lemmas, called the Scaling and Insertion Lemmas, 
that connect the continuous semantics for Petri nets to their standard semantics. 
In the continuous semantics of Petri nets transition firings can be scaled by a 
positive rational factor; for example, a transition can fire with factor 1/3, taking 
“1/3 of a token” from its input places. The continuous semantics is a relaxation 
of the standard one, and its associated reachability problem is much simpler 
(polynomial instead of non-elementary [14,6,5]). The Scaling Lemma! states that 
given two markings M,M’ of a Petri net, if M’ is reachable from M in the 
continuous semantics, then nM’ is reachable from nM in the standard semantics 


for a protocol of size n. 


for some n € gm where m is the total size of the net and the markings. The 
Insertion Lemma states that, given four markings M, M’, L, L’, if M’ is reachable 
from M in the continuous semantics and the marking equation L’ = L+ Ax has 
a solution x € ZT (observe that x can have negative components), then nM’ +L’ 
is reachable from nM + L in the standard semantics for some n € 2™°"”. We 
think that these lemmas can be of independent interest. 

The paper is organized as follows. Section 2 contains preliminaries; in par- 
ticular, it defines the cut-off problem for rendez-vous networks and reduces it to 
the cut-off problem for Petri nets. Section 3 gives a polynomial time algorithm 
for the leaderless cut-off problem for acyclic Petri nets. Section 4 introduces 
the Scaling and Insertion Lemmas, and Section 5 presents the novel polynomial 


1 Heavily based on previous results by Fraca and Haddad [14]. 


Finding Cut-Offs in Leaderless Rendez-Vous Protocols is Easy 45 


time algorithm for the cut-off problem. Sections 6 and 7 present the results for 
symmetric networks, for the cases with and without leaders, respectively. 

Due to lack of space, full proofs of some of the lemmas can be found in the 
appendix. 


2 Preliminaries 


Multisets Let E be a finite set. For a semi-ring S, a vector from E to S isa 
function v : E + S. The set of all vectors from E to S$ will be denoted by S”. In 
this paper, the semi-rings we will be concerned with are the natural numbers N, 
the integers Z and the non-negative rationals Qs 9 (under the usual addition and 
multiplication operators). The support of a vector v is the set |v] := {e : v(e) # 
0} and its size is the number ||v|| = )7.¢),3 abs(u(e)) where abs(x) denotes the 
absolute value of x. Vectors from E to N are also called discrete multisets (or 
just multisets) and vectors from Æ to Qso are called continuous multisets. 

Given a multiset M and a number a we let a- M be the multiset given by 
(a: M)(e) = M(e)-a for all e € E. Given two multisets M and M’ we say that 
M < M' if M(e) < M'(e) for all e € E and we let M + M’ be the multiset 
given by (M + M’')(e) = M (e) + M'(e) and if M’ < M, we let M — M’ be the 
multiset given by (M — M’)(e) = M (e) — M’ (e). The empty multiset is denoted 
by 0. We sometimes denote multisets using a set-like notation, e.g. la, 2- b,c) 
denotes the multiset given by M (a) = 1, M (b) = 2, M (c) = 1 and M (e) = 0 for 
all e ¢ {a,b,c}. 

Given an I x J matrix A with I and J sets of indices, I’ C I and J’ C J, 
we let Arx, denote the restriction of M to rows indexed by I’ and columns 
indexed by J’. 


Rendez-vous protocols and the cut-off problem. Let » be a fixed finite 
set which we will call the communication alphabet and we let RV (X) = {!a, ?a: 
a € X}. The symbol !a denotes that the message a is sent and ?a denotes that 
the message a is received. 


Definition 1. A rendez-vous protocol P is a tuple (Q, X, init, fin, R) where Q 
is a finite set of states, X is the communication alphabet, init, fin € Q are the 
initial and final states respectively and R C Q x RV(X) x Q is the set of rules. 


The size |P| of a protocol is defined as the number of bits needed to encode 
P in {0,1}* using some standard encoding. A configuration C of P is a multiset 
of states, where C(q) should be interpreted as the number of agents in state 
q. We use C(P) to denote the set of all configurations of P. An initial (final) 
configuration C is a configuration such that C(q) = 0 if q 4 init (resp. C(q) = 0 
if q # fin). We use Chit (Cin) to denote the initial (resp. final) configuration 
such that Cini (init) = n (resp. Cf, (fin) = n). 

The operational semantics of a rendez-vous protocol P is given by means 
of a transition system between the configurations of P. We say that there is 
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a transition between C and C’, denoted by C => C” iff there exists a € X, 

p,a,p',¢ E€ Q such that (p,!a,p'), (q,?a,q') E€ R, C > lp,q§ and C’ = C — 

lp, q5 + Ww’. q5. As usual, + denotes the reflexive and transitive closure of >. 
The cut-off problem for rendez-vous protocols, as defined in [17], is: 


Given: A rendez-vous protocol P 
Decide: Is there B € N such that Cha > Chin for every n > B ? 


init 


If such a B exists then we say that P admits a cut-off and that B is a cut-off 
for P. 


Petri nets. Rendez-vous protocols can be seen as a special class of Petri nets. 


Definition 2. A Petri net is a tuple N = (P,T, Pre, Post) where P is a finite 
set of places, T is a finite set of transitions, Pre and Post are matrices whose 
rows and columns are indexed by P and T respectively and whose entries belong 
to N. The incidence matrix A of N is defined to be the P x T matrix given by 
A = Post — Pre. Further by the weight of N, we mean the largest absolute value 
appearing in the matrices Pre and Post. 


The size |V| of M is defined as the number of bits needed to encode M in 
{0,1}* using some suitable encoding. For a transition t € T we let °t = {p : 
Pre|p,t] > 0} and t° = {p : Post[p,t] > 0}. We extend this notation to set of 
transitions in the obvious way. Given a Petri net M, we can associate with it a 
graph where the vertices are P UT and the edges are {(p,t) : p € °t} U {(t, p) : 
pet}. A Petri net M is called acyclic if its associated graph is acyclic. 

A marking of a Petri net is a multiset M € NP, which intuitively denotes 
the number of tokens that are present in every place of the net. For t € T and 
markings M and M’, we say that M’ is reached from M by firing t, denoted 
M + M’, if for every place p, M(p) > Pre[p, t] and M'(p) = M(p) + Alp, tl. 

A firing sequence is any sequence of transitions o = t1,to,...,t, E€ T*. The 
support of ø, denoted by [a], is the set of all transitions which appear in ø. We 
let ao’ denote the concatenation of two sequences a, 0’. 

Given a firing sequence o = tj, t2,...,t, € T*, we let M & M’ denote that 
there exist M,,...,M,—1 such that M “4+ Mı 2+ M2... My_1 + M’. Farther, 
M — M’ denotes that there exists t € T such that M “> M’, and M & M’ 
denotes that there exists o € T* such that M 5 M’. 


Marking equation of a Petri net system. In the following, a Petri net system is 
a triple (V,M,M’) where M is a Petri net and M # M’ are markings. The 
marking equation for (N, M, M’) is the equation 

M' = M + Av 
over the variables v. It is well known that M & M’ implies M’ = M + A@, 
where F € NT is the the Parikh image of o, defined as the vector whose com- 
ponent o [t] for transition t is equal to the number of times t appears in ø. 


Therefore, if M > M’ then @ is a nonnegative integer solution of the marking 
equation. The converse does not hold. 
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From rendez-vous protocols to Petri nets. Let P = (Q, X, init, fin, R) be 
a rendez-vous protocol. Create a Petri net Np = (P,T, Pre, Post) as follows. 
The set of places is Q. For each letter a € X and for each pair of rules r = 
(q, !a, s), r” = (q',?a,s') € R, add a transition t, „~ to Np and set 


— Prej|p,t] = 0 for every p ¢ {q,q'}, Post|p, t] = 0 for every p ¢ {s, s’} 
— If q = q' then Preļq, t] = —2, otherwise Pre[q,t] = Preļq', t] = —1 
— If s = s' then Post|s,t] = 2, otherwise Post|s, t] = Post|s’,t] = 1. 


It is clear that any configuration of a protocol P is also a marking of Np, 
and vice versa. Further, the following proposition is obvious. 


Proposition 1. For any two configurations C and C! we have that C > C' 
over the protocol P iff C Ž C' over the Petri net Np. 


Consequently, the cut-off problem for Petri nets, defined by 


Given : A Petri net system (N, M, M’) 
Decide: Is there B € N such that n- M Ž n- M' for every n> B ? 


generalizes the problem for rendez-vous protocols. 


3 The cut-off problem for acyclic Petri nets 


We show that the cut-off problem for acyclic Petri nets can be solved in polyno- 
mial time. The reason for considering this special case first is that it illustrates 
one of the main ideas of the general case in a very pure form. 

Let us fix a Petri net system (M, M, M’) for the rest of this section, where 
N = (P,T, Pre, Post) is acyclic and A is its incidence matrix. It is well-known 
that in acyclic Petri nets the reachability relation is characterized by the marking 
equation (see e.g. [24]): 


Proposition 2 ([24]). Let (N,M,M') be an acyclic Petri net system. For 
every sequence o € T*, we have M & M' iff F is a solution of the marking 
equation. Consequently, M Ž M' iff the marking equation has a nonnegative 
integer solution. 


This proposition shows that the reachability problem for acyclic Petri nets 
reduces to the feasibilty problem (i.e., existence of solutions) of systems of linear 
diophantine equations over the nonnegative integers. So the reachability problem 
for acyclic Petri nets is in NP, and in fact both the reachability and the feasibility 
problems are NP-complete [13]. 

There are two ways to relax the conditions on the solution so as to make the 
feasibility problem polynomial. Feasibility over the nonnegative rationals and 
feasibility over all integers are both in P. The first is due to the polynomiality 
of linear programming. For the second, feasibility can be decided in polynomial 
time after computing the Smith or Hermite normal forms (see e.g. [29]), which 
can themselves be computed in polynomial time [19]. We show that the cut-off 
problem can be reduced to these two relaxed problems. 
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3.1 Characterizing acyclic systems with cut-offs 


Horn and Sangnier proved in [17] a very useful charaterization of the rendez- 
vous protocols with a cut-off: A rendez-vous protocol P admits a cut-off iff there 
exists n € N such that C?,,, > Chin and C= Chin ' The proof immediately 
generalizes to the case of Petri nets: 


Lemma 1 ([17]). A Petri net system (N, M, M’) (acyclic or not) admits a cut- 
off iff there exists n € N such that n-M S n- M' and (n+1)-M Š (n+1)-M’. 
Moreover ifn- M Š n- M' and (n+1)-M Š (n4+1)-M’, then n? is a cut-off 
for the system. 


Using this lemma, we characterize those acyclic Petri net systems which 
admit a cut-off. 


Theorem 1. An acyclic Petri net system (N, M, M’) admits a cut-off iff the 
marking equation has solutions x € QL} and y € Z? such that [y] € [x]. 


Proof. (=): Suppose (M, M, M’) admits a cut-off. Hence there exists b € N 
such that for all n > b we have nM Ž nM’. Let bM = bM’ and (b+ 1)M > 
(b+1)M’. Then, notice that (2b+1)M == (2b4+1)M’ and (2b+2)M = (2b+ 
2)M’. Hence, if we let n = 2b + 1, o =0'7! and T = T'T' we have, nM S nM’, 
(n+1)M + (n+1)M' and [|r] € [ø]. By Proposition 2, there exist x’, y’ € NT 
such that [y’] C [x], nM’ = nM + Ax’ and (n+ 1)M’ = (n+ 1)M + Ay’. 
Letting x = x’/n and y = y’ — x’, we get our required vectors. 


(<): Suppose x € QZ, and y € ZT are solutions of the marking equation such 
that [y] C [x]. Let u be the least common multiple of the denominators of 
the components of x, and let a be the largest absolute value of the numbers in 
the vector y. By definition of u we have a(ux) € NT. Also, since [y] € [x] it 
follows by definition of a that a(x) +y > 0 and hence a(ux) +y € NT. Since 
M' = M + Ax and M' = M + Ay we get 


auM' = auM + A(apx) and (ap +1)M' = (aw+1)M + Alaux +y) 


Taking au = n, by Proposition 2 we get that nM > nM’ and (n+1)M > 
(n+1)M’. By Lemma 1, (M, M, M’) admits a cut-off. 


Intuitively, the existence of the rational solution x € Oe guarantees nM Žž 
nM’ for infinitely many n, and the existence of the integer solution y € ZT 
guarantees that for one of those n we have (n+ 1)M Š (n+ 1)M' as well. 


Example 1. The net system given by the net on Figure 1 along with the markings 
M = (iS and M’ = f$ admits a cut-off. The conditions of the theorem are 


satisfied by x = (4, 4, 4, ł) and y = (-1,1,1,1). 
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Fig. 1. A net with cut-off 2. 


3.2 Polynomial time algorithm 


We derive a polynomial time algorithm for the cut-off problem from the char- 
acterization of Theorem 1. The first step is the following lemma. A very similar 
lemma is proved in [14], but since the proof is short we give it for the sake of 
completeness: 


Lemma 2. Ifthe marking equation is feasible over Q>o, then it has a solution 
with mazimum support. Moreover, such a solution can be found in polynomial 
time. 


Proof. If y,z € Q&, are solutions of the marking equation, then we have M’ = 
M+A((y +2)/2) and [y] U [z] C [(y + z)/2]. Hence if the marking equation 
if feasible over Q>o, then it has a solution with maximum support. 

To find such a solution in polynomial time we proceed as follows. For every 
transition t we solve the linear program M’ = M + Av,v > 0, v(t) > 0. (Recall 
that solving linear programs over the rationals can be done in polynomial time). 
Let {t1,...,tn} be the set of transitions whose associated linear programs are 
feasible over Oe as and let {u1,..., Un} be solutions to these programs. Then 


1/n - Ý; u; is a solution of the marking equation with maximum support. 
We now have all the ingredients to give a polynomial time algorithm. 


Theorem 2. The cut-off problem for acyclic net systems can be solved in poly- 
nomial time. 


Proof. First, we check that the marking equation has a solution over the non- 
negative rationals. If such a solution does not exist, by Theorem 1 the given net 
system does not admit a cut-off. 

Suppose such a solution exists. By Lemma 2 we can find a non-negative 
rational solution x with maximum support in polynomial time. Let U contain 
all the transitions t such that x, = 0. We now check in polynomial time if the 
marking equation has a solution y over ZT such that y; = 0 for every t € U. By 
Theorem 1 such a solution exists iff the net system admits a cut-off. 
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The rendez-vous protocol given in Figure 2, which was stated in [17], is an 
example of a protocol where the smallest cut-off is exponential in the size of 
the protocol. In the next sections, we will actually prove that if a net system M 
(acyclic or not) admits a cut-off, then there is one with a polynomial number of 
bits in |W]. 


Fig. 2. Example of a protocol with an exponential cut-off 


4 The Scaling and Insertion lemmas 


Similar to the case of acyclic net systems, we would like to provide a character- 
ization of net systems admitting a cut-off and then use this characterization to 
derive a polynomial time algorithm. Unfortunately, in general net systems there 
is no characterization of reachability akin to Proposition 2 for acyclic systems. 
To this end, we prove two intermediate lemmas to help us come up with a char- 
acterization for cut-off admissible net systems in the general case. We believe 
that these two lemmas could be of independent interest in their own right. Fur- 
ther, the proofs of both lemmas are provided so that it will enable us later on 
to derive a bound on the cut-off for net systems. 


4.1 The Scaling Lemma 


The Scaling Lemma shows that, given a Petri net system (VV, M, M’), whether 
nM Š nM’ holds for some n > 1 can be decided in polynomial time; more- 
over, if nM — nM’ holds for some n, then it holds for some n with at most 
(\A/| (log || || + log ||Z"||))°™ bits. The name of the lemma is due to the fact 
that the firing sequence leading from nM to nM’ is obtained by scaling up a 
continuous firing sequence from M to M’; the existence of such a continuous 
sequence can be decided in polynomial time [14]. 

In the rest of the section we first recall continuous Petri nets and the chara- 
terization of [14], and then present the Scaling Lemma?. 


? The lemma is implicitly proved in [14], but the bound on the size of n is hidden in 
the details of the proof, and we make it explicit. 
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Reachability in continuous Petri nets. Petri nets can be given a continuous 
semantics (see e.g. [1,30,14]), in which markings are continuous multisets; we call 
them continuous markings. A continuous marking M enables a transition t with 
factor A € Qso if M(p) > A- Pre[p,t] for every place p; we also say that M 
enables At. If M enables At, then At can fire or occur, leading to a new marking 
M’ given by M'(p) = M (p) + à- Alp, t] for every p € P. We denote this by 
M %, M', and say that M’ is reached from M by firing At. A continuous firing 
sequence is any sequence of transitions o = À1t1, A2t2, . -. , Apte € (Q>0 x T)*. 
We let M > M’ denote that there exist continuous markings Mi,..., Mpk—1 


such that M at, Mı 7225 Mz ++» My—1 “> M’. Further, M ++ M’ denotes 


that M > M' “isle for some continuous ae sequence oa. 

The Parikh image of o = Ajt1, Agte,...,Anth E€ (Qso0 x T)* is the vector 
Ge QF, where T |t t] = oan biti, nen ði = 1 if t; = t and 0 otherwise. 
The support of ø is the support of its Parikh image Oo. If M 5 M’ then 
@ is a solution of the marking equation over Qo but the converse does not 
hold. In [14], Fraca and Haddad strengthen this necessary condition to make 
it also sufficient, and use the resulting characterization to derive a polynomial 
algorithm. 


Theorem 3 ([14]). Let (N, M, M') be a Petri net system. 

-M > M' iff T is a solution of the ari equation over QZo, and there 
exist continuous firing sequences T, T’ and continuous markings L and L' 
such that [7] = [o] = [r], M > L, and L' ia M'. 

— It can be decided in polynomial time if M > M' holds. 


Scaling. It follows easily from the definitions that nM > nM" holds for some 
n> 1 iff M > M’. Indeed, if M => M' for some o = Aqt1, A2gte,..., Ante € 
(Q>o x T)*, then we can scale this continuous firing sequence to a discrete se- 


quence nM 15 nM’ where n is the smallest number such that nà1,..., nAg € N, 
and no = pA pp -òr So Theorem 3 immediately implies that the existence 


of n > 1 such that nM “> nM’ can be decided in polynomial time. The following 
lemma also gives a bound on n. 


Lemma 3. Let (N, M, M’) be a Petri net system with weight w such that M => 
M' for some continuous firing sequence o € (Q>o x T)*. Let m be the number of 
transitions in |o] and let £ be |Ð ||. Let k be the smallest natural number such 
that k? € NT. Then, there exists a firing sequence T € T* such that Ir] = [c] 
and 


(16w(w + 1)?"ke- M) > (16w(w + 1)?""ke- M’) 


Lemma 4. (Scaling Lemma). Let (V,M,M’) be a Petri net system such 
that M > M’. There exists a number n with a polynomial number of bits in 


IN| (log || M|| + log ||M’||) such that nM 4 nM’ for some 7 with |r] = [o]. 
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4.2 The Insertion Lemma 


In the acyclic case, the existence of a cut-off is characterized by the existence of 
solutions to the marking equation QZ and Z7. Intuitively, in the general case 
we replace the existence of solutions over QT by the conditions of the Scaling 
Lemma, and the existence of solutions over ZT by the Insertion Lemma: 


Lemma 5 (Insertion Lemma). Let M, M',L,L' be markings of N satisfying 
M & M' for some o € T* and L! = L + Ay for some y € Z™ such that 
ly] € Jo]. Then uM + L > uM' +L for u= liy? l|nw+nw +1) , where 
w is the weight of N, and n is the number of places in ° |o]. 


The idea of the proof is a follows: In a first stage, we asynchronously execute 
multiple “copies” of the firing sequence o from multiple “copies” of the marking 
M, until we reach a marking at which all places of *[o] contain a sufficiently 
large number of tokens. At this point we temporarily interrupt the executions 
of the copies of o to insert a firing sequence with Parikh mapping |ly||o + y. 
The net effect of this sequence is to transfer some copies of M to M’, leaving 
the other copies untouched, and exactly one copy of L to L’. In the third stage, 
we resume the interrupted executions of the copies of ø, which completes the 
transfer of the remaining copies of M to M’. 


Proof. Let x be the Parikh image of ø, i.e., x = F. Since M S M’, by the 
marking equation we have M’ = M + Ax 


First stage: Let Az = ||z||, Ay = |ly|| and w = A,y(Aznw + nw + 1). Let o := 
r1, T2,...,rp and let M =: My => Mı 2 Mə... Mp1 = Mp := M. Notice 
that for each place p € *[o], there exists a marking M;, € {Mo,..., Mk—1} such 
that M;,(p) > 0. 

Since each of the markings in {M;, },c*,,] can be obtained from M by firing 
a (suitable) prefix of ø, it is easy to see that from the marking uM + L = 
AyM+L+ (AzAynw + Aynw)M we can reach the marking First := AM + L+ 
pet fo] AzrAyw + Ayw)M;,. This completes our first stage. 


Second stage - Insert: Since [y] € [e], if y(t) 4 0 then x(t) ¥ 0. Since 
x(t) > 0 for every transition, it now follows that (Ayx + y)(t) > 0 for every 
transition t and (Ayx + y)(t) > 0 precisely for those transitions in [ø]. 


Let € be any firing sequence such that € = Ayx + y. Notice that for every 
place p € “[o], First(p) > A,Ayw+Ayw > ||(Ayx+y)]||-w. By an easy induction 


on |€||, it follows that that First £, Second for some marking Second. By the 
marking equation, it follows that Second = AM’ + L’ + Do cepa) (AcAyw + 
Ayw)M,,. This completes our second stage. 


Third stage: Notice that for each place p € *[o], by construction of M;,, there 
is a firing sequence which takes the marking M;, to the marking M’. It then 
follows that there is a firing sequence which takes the marking Second to the 
marking Ay M’ + L' + X perje (AvAyw + Ayw) M" = uM’ + L'. This completes 
our third stage and also completes the desired firing sequence from uM + L to 
pM’ +L’. 


Finding Cut-Offs in Leaderless Rendez-Vous Protocols is Easy 53 


5 Polynomial time algorithm for the general case 


Let (N, M, M’) be a net system with M = (P,T, Pre, Post), such that A is its 
incidence matrix. As in Section 3, we first characterize the Petri net systems 
that admit a cut-off, and then provide a polynomial time algorithm. 


5.1 Characterizing systems with cut-offs 


We generalize the characterization of Theorem 1 for acyclic Petri net systems to 
general systems. 


Theorem 4. A Petri net system (N, M, M') admits a cut-off iff there exists 
some rational firing sequence o such that M > M' and the marking equation 
has a solution y € Z? such that [y] © [ø]. 


Proof. (=): Assume (N, M, M') admits a cut-off. Hence there exists B € N such 
that for all n > B we have nM —> nM’. Similar to the proof of theorem 1, we 
can show that there exist n € N and firing sequences r, T’ such that nM > nM’, 
(n+1)M 5 (n+1)M’ and [7’] € [7]. 

Let T = tıt2--- tk. Construct the rational firing sequence o := t)/nt2/n--- 
t;,/n. From the fact that nM + nM’, we can easily conclude by induction on k 
that M => M’. Further, by the marking equation we have nM’ = nM+A7 and 

= => 
(n+1)M' = (n+1)M+Ar’. Let y = r —7. Then y € ZT and M' = M+ Ay. 
Further, since [r] € [7] = [co], we have [y] € [o]. 


(<=): Assume there exists a rational firing sequence ø and a vector y € ZT such 
that fy] € Jo], M = M' and M' = M + Ay. Let s = |N | (log || M|| + log || 17’||). 
It is well known that if a system of linear equations over the integers is feasible, 
then there is a solution which can be described using a number of bits which is 
polynomial in the size of the input (see e.g. [20]). Hence, we can assume that 
||| can be described using s?“ bits. 

By Lemma 4 there exists n (which can be described using s?“) bits) and a 
firing sequence 7 with [7] = fo] such that nM 4 nM’. Hence knM Š knM' is 
also possible for any k € N. By Lemma 5, there exists u (which can once again 
be described using s?“) bits) such that wnM + M - pnM' + M' is possible. 
By Lemma 1 the system (M, M, M’) admits a cut-off with a polynomial number 
of bits in s. 


Notice that we have actually proved that if a net system admits a cut-off 
then it admits a cut-off with a polynomial number of bits in its size. Since the 
cut-off problem for a rendez-vous protocol P can be reduced to a cut-off problem 
for the Petri net system (Vp, (init), lfin $), it follows that, 


Corollary 1. If the system (N, M, M') admits a cut-off then it admits a cut- 
off with a polynomial number of bits in |N |(log | M|| + log || W'||). Hence, if a 
rendez-vous protocol P admits a cut-off then it admits a cut-off with a polynomial 
number of bits in |P]. 
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5.2 Polynomial time algorithm 


We use the characterization given in the previous section to provide a polynomial 
time algorithm for the cut-off problem. The following lemma, which was proved 
in [14] and whose proof is given in the appendix, enables us to find a firing 
sequence between two markings with maximum support. 


Lemma 6. [14] Among all the rational firing sequences o such that M > 
M’, there is one with maximum support. Moreover, the support of such a firing 
sequence can be found in polynomial time. 


We now have all the ingredients to prove the existence of a polynomial time 
algorithm. 


Theorem 5. The cut-off problem for net systems can be solved in polynomial 
time. 


Proof. First, we check that there is a rational firing sequence o with M = 
M’, which can be done in polynomial time by ([14], Proposition 27). If such a 
sequence does not exist, by Theorem 4 the given net system does not admit a 
cut-off. 

Suppose such a sequence exists. By Lemma 6 we can find in polynomial time, 
the maximum support S' of all the firing sequences 7 such that M > M'. We 
now check in polynomial time if the marking equation has a solution y over ZT 
such that y(t) = 0 for every t ¢ S. By Theorem 4 such a solution exists iff the 
net system admits a cut-off. 


This immediately proves that the cut-off problem for rendez-vous protocols 
is also in polynomial time. By an easy logspace reduction from the Circuit Value 
Problem [21], we prove that 


Lemma 7. The cut-off problem for rendez-vous protocols is P-hard. 


Clearly, this also proves that the cut-off problem for Petri nets is P-hard. 


6 Symmetric rendez-vous protocols 


In [17] Horn and Sangnier introduce symmetric rendez-vous protocols, where 
sending and receiving a message at each state has the same effect, and show 
that the cut-off problem is in NP. We improve on their result and shown that it 
is in NC. 

Recall that NC is the set of problems in P that can be solved in polyloga- 
rithmic parallel time, i.e., problems which can be solved by a uniform family of 
circuits with polylogarithmic depth and polynomial number of gates. Two well- 
known problems which lie in NC are graph reachability and feasibility of linear 
equations over the finite field Fə of size 2 [27,23]. We proceed to formally define 
symmetric protocols and state our results. 
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Definition 3. A rendez-vous protocol P = (Q, X, init, fin, R) is symmetric, iff 
its set of rules is symmetric under swapping !a and ?a for each a € X, i.e., for 
each a € X, we have (q,!a,q') € R iff (q,?a,q') E€ R. 


Horn and Sangnier show that, because of their symmetric nature, there is a 
very easy characterization for cut-off admitting symmetric protocols. 


Proposition 3. (/17], Lemma 18) A symmetric protocol P admits a cut-off iff 
there exists an even number e and an odd number o such that Ce. 5 Cr, and 
Cinit 5 Cin: 

From a symmetric protocol P, we can derive a graph G(P) where the vertices 
are the states and there is an edge between q and q’ iff there exists a € X such 
that (q,a,q') € R. The following proposition is immediate from the definition of 
symmetric protocols: 


Proposition 4. Let P be a symmetric protocol. There exists an even number 
e such that C$ i > CS, iff there is a path from init to fin in the graph G(P). 


Proof. The left to right implication is obvious. For the other side, suppose there 
is a path init, qi, q2,---;Gm—1, fin in the graph G(P). Then notice that (2-init) > 
l2- q5 > (2: gS +++ 4 (2+ dm-15 (2-75 is a valid run of the protocol. 


Since graph reachability is in NC , this takes care of the “even” case from 
Proposition 3. Hence, we only need to take care of the “odd” case from Propo- 
sition 3. 

Fix a symmetric protocol P for the rest of the section. As a first step, for 
each state q E€ Q, we compute if there is a path from init to q and if there is 
a path from q to fin in the graph G(P). Since graph reachability is in NC this 
computation can be carried out in NC by parallely running graph reachability 
for each q € Q. If such paths exist for a state q then we call q a good state, 
and otherwise a bad state. The following proposition easily follows from the 
symmetric nature of P: 


Proposition 5. If q €Q is a good state, then (2- initS > 2 -q5 and(2-q5 > 
l2- fins. 


Similar to the general case of rendez-vous protocols, given a symmetric pro- 
tocol P we can construct a Petri net Mp whose places are the states of P and 
which faithfully represents the reachability relation of configurations of P. Ob- 
serve that this construction can be carried out in parallel over all the states in 
Q and over all pairs of rules in R. Let NV = (P,T, Pre, Post) be the Petri net 
that we construct out of the symmetric protocol P and let A be its incidence 
matrix. We now write the marking equation for M as follows: We introduce a 
variable v{t] for each transition t € T and we construct an equation system Eq 
enforcing the following three conditions: 


— v(t] = 0 for every t € T such that *t U t° contains a bad state. 
By definition of a bad state, such transitions will never be fired on any run 
from an initial to a final configuration and so our requirement is safe. 
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— Vier Ala, t] - vit] = 0 for each q ¢ {init, fin}. 
Notice that the net-effect of any run from an initial to a final configuration 
on any state not in {init, fin} is 0 and hence this condition is valid as well. 


— Veer Alinit, t] - vit] = —1 and Xer Affin, t] - vit] = 1. 


It is clear that the construction of Eq can be carried out in parallel over each 
q E€ Q and each t € T. Finally, we solve Eq over arithmetic modulo 2, i.e., we 
solve Eq over the field Fə which as mentioned before can be done in NC. We 
have: 


Lemma 8. There exists an odd number o such that C? a => Ch, uf the equation 
system Eq has a solution over Fə. 


Proof. (Sketch.) The left to right implication is true because of taking modulo 2 
on both sides of the marking equation. For the other side, we use an idea similar 
to Lemma 5. Let x be a solution to Eq over Fz. Using Proposition 5 we first 
populate all the good states of Q with enough processes such that all the good 
states except init have an even number of processes. Then, we fire exactly once, 
all the transitions ¢ such that x[t] = 1. Since x satisfies Æq, we can now argue 
that in the resulting configuration, the number of processes at each bad state is 
0 and the number of processes in each good state except fin is even. Hence, we 
can once again use Proposition 5 to conclude that we can move all the processes 
which are not at fin to the final state fin. 


Theorem 6. The problem of deciding whether a symmetric protocol admits a 
cut-off is in NC. 


Proof. By Proposition 3 it suffices to find an even number e and an odd number 
o such that Ceu >> Cin and Cinit > Cin: By Proposition 4 the former can be 


done in NC. By Lemma 8 and by the fact that the equation system Eq can be 
constructed and solved in NC, it follows that the latter can also be done in NC. 


7 Symmetric protocols with leaders 


In this section, we extend symmetric rendez-vous protocols by adding a special 
process called leader. We state the cut-off problem for such protocols and prove 
that it is NP-complete. 


Definition 4. A symmetric leader protocol is a pair of symmetric protocols P = 
(P, PE) where P? = (Q",%, init”, fin”, R?) is the leader protocol and PE = 
(oe init”, fin”, RF) is the follower protocol where Qt N QF = 0. 


A configuration of a symmetric leader protocol P is a multiset over Q} U QF 
such that ` eo: C(q) = 1. This corresponds to the intuition that exactly one 


process can execute the leader protocol. For each n € N, let Chis (resp. Chn) 


denote the initial (resp. final) configuration of P given by C% a (init”) = 1 (resp. 


n (fin”) = 1) and C2; (init) = n (resp. n (fin”) = n). We say that C = C’ 


init 
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if there exists (p, !a, p'), (q,?a,q') E€ R” U R7, C > lp, q5 and C’ = C — lp, q$ + 
(p’,q’5. Since we allow at most one process to execute the leader protocol, given 
a configuration C, we can let lead(C) denote the unique state q E€ Q” such that 
C(q) > 0. 


Definition 5. The cut-off problem for symmetric leader protocols is the follow- 
ing. 


Input: A symmetric leader protocol P = (PŁ, PË). 
Output: Is there B €N such that for alln > B, C, > Chn- 


init 
We know the following fact regarding symmetric leader protocols. 


Proposition 6. (/17], Lemma 18) A symmetric leader protocol admits a cut-off 
iff there exists an even number e and an odd number o such that Cé,,, > Ce, 
and Chut => C2. 


The main theorem of this section is 


Theorem 7. The cut-off problem for symmetric leader protocols is NP-complete 


7.1 A non-deterministic polynomial time algorithm 


Let P = (PŁ, PE) be asymmetric leader protocol with P? = (Q}, X, init”, fin”, 
R?) and PF = (QF, 5, init”, fin", R). Similar to the previous section, from 
PF we can construct a graph G(P*) where the vertices are given by the states 
QF and the edges are given by the rules in R. In G(P”), we can clearly remove 
all vertices which are not reachable from the state init” and which do not have 
a path to fin. In the sequel, we will assume that such vertices do not exist in 
G(P*). 

Similar to the general case, we will construct a Petri net Mp from the given 
symmetric leader protocol P. However, the construction is made slightly com- 
plicated due to the presence of a leader. 

From P = (PŁ, PE), we construct a Petri net M = (P,T, Pre, Post) as 
follows: Let P be Q4 U QF. For each a € X and r = (q,!a,s),r’ = (q',?a,8’) € 
R UR such that at most one ofr andr’ belongs to R}, we will have a transition 
trr? E T in N such that 


— Prelp,t] = 0 for every p ¢ {q,q'}, Post|p, t] = 0 for every p ¢ {s, s’} 
— Ifq=¢d then Pre{q,t] = —2, otherwise Prefq, t] = Pre|q’,t] = —1 
— If s = s' then Post/s,t] = 2, otherwise Post|s, t] = Post[s’,t] = 1. 


Transitions tr in which exactly one of r,r’ is in R” will be called leader 
transitions and transitions in which both of r,r’ are in R? will be called follower- 
only transitions. Notice that if t is a leader transition, then there is a unique place 
p € °t Q% and a unique place p € t° N Q”. These places will be denoted by 
t.from and t.to respectively. 

As usual, we let A denote the incidence matrix of the constructed net M. 
The following proposition is obvious from the construction of the net M 
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Proposition 7. For two configurations C and C’, we have that C È C" in the 
protocol P iff C Š C in the net N. 


Because P is symmetric we have the following fact, which is easy to verify. 
Proposition 8. If q € QF, then l2- init? 5 12- q5 > 12- fin” 5 


For any vector x € NT, we define lead(x) to be the set of all leader transitions 
such that x[t] > 0. The graph of the vector x, denoted by G(x) is defined as 
follows: The set of vertices is the set {t.from : t € lead(x)}U {t.to : t € lead(x)}. 
The set of edges is the set {(t.from,t.to) : t € lead(x)}. Further, for any two 
vectors x, y € NT and a transition t € T, we say that x = y[t--] iff x[t] = y[t]-1 
and x[t’] = y[t’] for all t At. 


Definition 6. Let C be a configuration and let x € NT. We say that the pair 
(C,x) is compatible if C + Ax > 0 and every vertex in G(x) is reachable from 
lead(C). 


The following lemma states that as long as there are enough followers in 
every state, it is possible for the leader to come up with a firing sequence from 
a compatible pair. 


Lemma 9. Suppose (C,x) is a compatible pair such that C(q) > 2\|x|| for 
every q E QF. Then there is a configuration D and a firing sequence È such that 


CD and È =x. 


Proof. (Sketch.) We prove by induction on ||x||. If x[t] > 0 for some follower-only 


transition, then it is easy to verify that if we let C’ be such that C —> C’ and x’ 
be x[t--], then (C’,x’) is compatible and C(q) > 2||x’|| for every q € Q¥. 

Suppose x|t] > 0 for some leader transition. Let p = lead(C). If p belongs 
to some cycle S = p, r1, P1, T2, P2,- --, Pk; Tk+1,p in the graph G(x), then we let 
C 5 C’ and x’ = x[t--]. It is easy to verify that C’ + Ax’ > 0, C’(q) > 2||x'|| 
for every q € QF and lead(C’) = pı. Any path P in G(x) from p to some vertex 
s either goes through pı or we can use the cycle S to traverse from pı to p first 
and then use P to reach s. This gives a path from pı to every vertex s in G(x’). 

If p does not belong to any cycle in G(x), then using the fact that C+Ax > 0, 
we can show that there is exactly one out-going edge t from p in G(x). We then 
let C $ C’ and x! = x[t--]. Since any path in G(x) from p has to necessarily 
use this edge t, it follows that in G(x’) there is a path from t.to = lead(C’) to 
every vertex. 


Lemma 10. Let par € {0,1}. There exists k € N such that OE u > Ch, and 


anit 
k = par (mod 2) iff there exists n € N, x € NT such that n = par (mod 2), 
(Chit X) is compatible and Chn = Cinit + AX. 


n 
anit? 
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Proof. (Sketch.) The left to right implication is easy and follows from the mark- 
ing equation along with induction on the number of leader transitions in the 
run. For the other side, we use an idea similar to Lemma 5. Let (C.;,,x) be the 
given compatible pair. We first use Proposition 8 to populate all the states of 
QF with enough processes such that all the states of QF except init’ have an 
even number of processes. Then we use Lemma | 9 to construct a firing sequence 
€ which can be fired from Chig and such that € = x. By means of the marking 
equation, we then argue that in the resulting configuration, the leader is in the 
final state, n followers are in the state fin” and every other follower state has 
an even number of followers. Once again, using Proposition 8 we can now move 


all the processes which are not at fin® to the final state fint. 


Lemma 11. Given a symmetric leader protocol, checking whether a cut-off ex- 
ists can be done in NP. 


Proof. By Proposition 6 it suffices to find an even number e and an odd number 
o such that CY, > Cin and Ce =, Chin: Suppose we want to check that there 
exists 2k € N such that C?*, > CA. We first non-deterministically guess a set 
of leader transitions S = {t,...,t,} and check that for each t € S, we can reach 
t.from and t.to from init’ using only the transitions in S. 

Once we have guessed all this, we write a polynomially sized integer linear 
program as follows: We let v denote |T| variables, one for each transition in T 
and we let n be another variable, with all these variables ranging over N. We then 
enforce the following conditions: C2” = C?", + Av and vit] =0 <=> t¢S$ 
and solve the resulting linear program, which we can do in non-deterministic 
polynomial time [26]. If there exists a solution, then we accept. Otherwise, we 
reject. 

By Lemma 10 and by the definition of compatibility, it follows that at least 
one of our guesses gets accepted iff there exists 2k € N such that C?F, > C2". 
Similarly we can check if exists 21 +1 € N such that C2H1 4 C2. 


By a reduction from 3-SAT, we prove that 


Lemma 12. The cut-off problem for symmetric leader protocols is NP-hard. 
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Abstract. Knaster-Tarski’s theorem, characterising the greatest fix- 
point of a monotone function over a complete lattice as the largest post- 
fixpoint, naturally leads to the so-called coinduction proof principle for 
showing that some element is below the greatest fixpoint (e.g., for provid- 
ing bisimilarity witnesses). The dual principle, used for showing that an 
element is above the least fixpoint, is related to inductive invariants. In 
this paper we provide proof rules which are similar in spirit but for show- 
ing that an element is above the greatest fixpoint or, dually, below the 
least fixpoint. The theory is developed for non-expansive monotone func- 
tions on suitable lattices of the form MY , where Y is a finite set and M 
an MV-algebra, and it is based on the construction of (finitary) approx- 
imations of the original functions. We show that our theory applies to a 
wide range of examples, including termination probabilities, behavioural 
distances for probabilistic automata and bisimilarity. Moreover it allows 
us to determine original algorithms for solving simple stochastic games. 


1 Introduction 


Fixpoints are ubiquitous in computer science as they allow to provide a meaning 
to inductive and coinductive definitions (see, e.g., [26,23]). A monotone function 
f: L > L over a complete lattice (L, E), by Knaster-Tarski’s theorem [28], 
admits a least fixpoint uf and greatest fixpoint v f which are characterised as the 
least pre-fixpoint and the greatest post-fixpoint, respectively. This immediately 
gives well-known proof principles for showing that a lattice element l € L is 


below vf or above uf 
1E f(D) ORI 


Lovf uf el 

On the other hand, showing that a given element l is above vf or below uf 
is more difficult. One can think of using the characterisation of least and largest 
fixpoints via Kleene’s iteration. E.g., the largest fixpoint is the least element 
of the (possibly transfinite) descending chain obtained by iterating f from T. 
Then showing that f(T) E l for some i, one concludes that vf E l. This proof 
principle is related to the notion of ranking functions. However, this is a less 
satisfying notion of witness since f has to be applied 7 times, and this can be 
inefficient or unfeasible when 7 is an infinite ordinal. 
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The aim of this paper is to present an alternative proof rule for this purpose 
for functions over lattices of the form L = MY where Y is a finite set and M 
is an MV-chain, i.e., a totally ordered complete lattice endowed with suitable 
operations of sum and complement. This allows us to capture several exam- 
ples, ranging from ordinary relations, for dealing with bisimilarity, behavioural 
metrics, termination probabilities and simple stochastic games. 

Assume f : MY — MY monotone and consider the question of proving that 
some fixpoint a : Y —> M is the largest fixpoint vf. The idea is to show that 
there is no “slack” or “wiggle room” in the fixpoint a that would allow us to 
further increase it. This is done by associating with every a: Y — M a function 
f# on 2° whose greatest fixpoint gives us the elements of Y where we have 
a potential for increasing a by adding a constant. If no such potential exists, 
i.e. vf# is empty, we conclude that a is vf. A similar function ty (specifying 
decrease instead of increase) exists for the case of least fixpoints. Note that the 
premise is v fi = f, i.e. the witness remains coinductive. The proof rules are: 


fla)=a vff=0 fl@=a vfg=d 
ue uf =a 


For applying the rule we compute a greatest fixpoint on 2Y, which is finite, 
instead of working on the potentially infinite MY. The rule does not work for 
all monotone functions f : MY — MY, but we show that whenever f is non- 
expansive the rule is valid. Actually, it is not only sound, but also reversible, i.e., 
if a = vf then vf# = Ú, providing an if-and-only-if characterisation. 

Quite interestingly, under the same assumptions on f, using a restricted 
function f*, the rule can be used, more generally, when a is just a pre-fixpoint 
(f(a) E a) and it allows to conclude that vf E a. A dual result holds for post- 
fixpoints in the case of least fixpoints. 


f@Ca vff=0 alfa) vfp=b 
vf Ca alyuf 


As already mentioned, the theory above applies to many interesting scenarios: 
witnesses for non-bisimilarity, algorithms for simple stochastic games [11] and 
lower bounds for termination probabilities and behavioural metrics in the setting 
of probabilistic systems [1] and probabilistic automata [2]. In particular we were 
inspired by, and generalise, the self-closed relations of Fu [16], also used in [2]. 


Motivating Example. Consider a Markov chain (S,T,7) with a finite set of states 
S, where T C S are the terminal states and every state s € S\T is associated 
with a probability distribution 7(s) € D(S).° Intuitively, n(s)(s’) denotes the 
probability of state s choosing s’ as its successor. Assume that, given a fixed 
state s E€ S, we want to determine the termination probability of s, i.e. the 
probability of reaching any terminal state from s. As a concrete example, take 
the Markov chain given in Fig. 1, where u is the only terminal state. 


3 D(S) is the set of all maps p : S — [0,1] such that X „es p(s) = 1. 
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1 


T : [0,1] = [0,1]5 


1 ifveT : 3 3 
T(t)(s) = >> (s)(s’) - t(s") otherwise CL ©) (©) © 


oe 0/1 1 0/1 iji 1/1 


Fig. 1: Function 7 (left) and a Markov chain with two fixpoints of T (right) 


The termination probability arises as the least fixpoint of a function 7 defined 
as in Fig. 1. The values of 7 are indicated in green (left value). 

Now consider the function t assigning to each state the termination probabil- 
ity written in red (right value). It is not difficult to see that t is another fixpoint 
of 7, in which states y and z convince each other incorrectly that they terminate 
with probability 1, resulting in a vicious cycle that gives “wrong” results. We 
want to show that uT # t without knowing uT. Our idea is to compute the set 
of states that still has some “wiggle room”, i.e., those states which could reduce 
their termination probability by 6 if all their successors did the same. This def- 
inition has a coinductive flavour and it can be computed as a greatest fixpoint 
on the finite powerset 2° of states, instead of on the infinite lattice S14, 

We hence consider a function Th : 2191" _, 219)", dependent on t, defined as 
follows. Let [S]* be the set of all states s where t(s) > 0, i.e., a reduction is in 
principle possible. Then a state s € [S]* is in 74 (S') iff s ¢ T and for all s’ for 
which 7(s)(s’) > 0 it holds that s’ € 9S’, i.e. all successors of s are in S”. 

The greatest fixpoint of Th is {y, z}. The fact that it is not empty means that 
there is some “wiggle room”, i.e., the value of t can be reduced on the elements 
{y, z} and thus ¢ cannot be the least fixpoint of f. Moreover, the intuition that 
t can be improved on {y, z} can be made precise, leading to the possibility of 
performing the improvement and search for the least fixpoint from there. 


Contributions. In the paper we formalise the theory outlined above, showing 
that the proof rules work for non-expansive monotone functions f on lattices of 
the form MY, where Y is a finite set and M an MV-algebra (§3 and §4). Addi- 
tionally, given a decomposition of f we show how to obtain the corresponding 
approximation compositionally (§5). Then, in order to show that our approach 
covers a wide range of examples and allows us to derive original algorithms, we 
discuss various applications: termination probability, behavioural distances for 
probabilistic automata and bisimilarity (§6) and simple stochastic games (§7). 
Proofs and further material can be found in the full version of the paper [5]. 


2 Lattices and MV-Algebras 


In this section, we review some basic notions used in the paper. 
A preordered or partially ordered set (P,C) is often denoted simply as P, 
omitting the order relation. Given x,y € P, with x E y, we denote by |x, y] the 
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interval {z € P| aC z E y}. The join and the meet of a subset X C P (if they 
exist) are denoted | | X and []X, respectively. 

A complete lattice is a partially ordered set (L,£) such that each subset 
X C L admits a join | | X and a meet [| X. A complete lattice (L, E) always has 
a least element L = | |Ø and a greatest element T =[]0. 

A function f : L > L is monotone if for all l, € L, ifl Cl then f(l) E 
f(U). By Knaster-Tarski’s theorem [28, Thm. 1], any monotone function on a 
complete lattice has a least and a greatest fixpoint, denoted respectively uf 
and vf, characterised as the meet of all pre-fixpoints respectively the join of all 
post-fixpoints: wf = [1| f() CU} and vf =| HL] LE f(D}. 

Let (C,C), (A,<) be complete lattices. A Galois connection is a pair of 
monotone functions (a, y) such that a: C > A, y: A —> C and for alla € A 
and c € C: a(c) <a = cE 7(a). Equivalently, for alla € A and c E€ C, 
(i) c E y(a(c)) and (ii) a(y(a)) < a. In this case we will write (a, y) : C > A. 
For a Galois connection (a, y) : C — A, the function a is called the left (or 
lower) adjoint and y the right (or upper) adjoint. 

Galois connections are at the heart of abstract interpretation [13,14]. In par- 
ticular, when (a, 9) is a Galois connection, given f° : C > C and f4: A> A, 
monotone functions, if fO oy E yo f4, then vf© E y(v fA). If equality holds, 
i.e., fC oy = yo fA, then greatest fixpoints are preserved along the connection, 
i.e., vf = yw f^). 

Given a set Y and a complete lattice L, the set of functions LY = {f | f : 
Y — L}, endowed with pointwise order, i.e., for a,b € LY, a E b if a(y) E b(y) 
for all y € Y, is a complete lattice. 

In the paper we will mostly work with lattices of the kind MY where M is a 
special kind of lattice with a rich algebraic structure, i.e. an MV-algebra [21]. 


io) 


Definition 1 (MV-algebra). An MV-algebra is a tuple M = (M,@,0, (-)) 
where (M, ®,0) is a commutative monoid and (-) : M — M maps each element to 
its complement, such that for allxz,y € M (1) T = 2; (2) £80 = 0; (3) (Sy) 
y=(@x) Oz. 

We denote 1 = 0, multiplication r&y == ® y and subtraction x Oy = 1 8J. 


Definition 2 (natural order). Let M = (M, ®,0,(-)) be an MV-algebra. The 
natural order on M is defined, for xy E€ M, byx E y ifxGz=y for some 
z€ M. When E is total M is called an MV-chain. 


The natural order gives an MV-algebra a lattice structure where L = 0, 
T =1,xzUy=(x©y)®y andry = TUY = z Q (T9 y). We call the 
MV-algebra complete, if it is a complete lattice, which is not true in general, 
e.g., ([0,1] 0 Q, <). 


Example 3. A prototypical example of an MV-algebra is ([0, 1], ®,0, (-)) where 
xy = min{zr +y,1} and 7 = 1 — z for x,y € [0,1]. This means that z & y = 
max{z + y — 1,0} and z © y = max{0,x — y} (truncated subtraction). The 
operators ® and & are also known as strong disjunction and conjunction in 
Łukasiewicz logic [22]. The natural order is < (less or equal) on the reals. 
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Another example is ({0,...,k},@,0, (-)) where n B m = min{n + m, k} and 
nm = k-n for n,m € {0,...,k}. Both MV-algebras are complete and MV-chains. 
Boolean algebras (with disjunction and complement) also form MV-algebras 
that are complete, but in general not MV-chains. 


MV-algebras are the algebraic semantics of Lukasiewicz logic. They can be 
shown to correspond to intervals of the kind [0, u] in suitable groups, i.e., abelian 
lattice-ordered groups with a strong unit u [21]. 


3 Non-expansive Functions and Their Approximations 


As mentioned in the introduction, our interest is for fixpoints of monotone func- 
tions f : MY — MY’, where M is an MV-chain and Y is a finite set. We will 
see that for non-expansive functions we can over-approximate the sets of points 
in which a given a € MY can be increased in a way that is preserved by the 
application of f. This will be the core of the proof rules outlined earlier. 


Non-expansive Functions on MV-Algebras. For defining non-expansiveness it is 
convenient to introduce a norm. 


Definition 4 (norm). Let M be an MV-chain and let Y be a finite set. Given 
a € MY we define its norm as |a| = max{a(y) |y € Y}. 


Given a finite set Y we extend and & to MY pointwise. Given Y’ C Y and 
å € M, we write dy, for the function defined by ôy: (y) = 6 if y € Y’ and ôy: (y) = 
0, otherwise. Whenever this does not generate confusion, we write 6 instead of 
ôy. It can be seen that |:| has the properties of a norm, i.e., for all a,b € MY 
and ô € M, it holds that (1) |a 6] E lal & |b], (2) 6 @ a] = 6 @ |a| and and 
la| = 0 implies that a is the constant 0. Moreover, it is clearly monotonic, i.e., 
ifa E b then |jal E Jbl. 

We next introduce non-expansiveness. Despite the fact that we will finally be 
interested in endo-functions f : MY — MY, in order to allow for a compositional 
reasoning we work with functions where domain and codomain can be different. 


Definition 5 (non-expansiveness). Let f : MY — MŽ be a function, where 
M is an MV-chain and Y,Z are finite sets. We say that it is non-expansive if 
for all a,b € MY it holds | f(b) © f(a)|| E |b Sal. 


Note that (a,b) +> |a © b|| is the supremum lifting of a directed version of 
Chang’s distance [21]. It is easy to see that all non-expansive functions on MV- 
chains are monotone. 


Approximating the Propagation of Increases. Let f : MY —> M% be a monotone 
function and take a,b € MY with a E b. We are interested in the difference 
b(y) © a(y) for some y € Y and on how the application of f “propagates” this 
increase. The reason is that, understanding that no increase can be propagated 
will be crucial to establish when a fixpoint of a non-expansive function f is 
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actually the largest one, and, more generally, when a (pre-)fixpoint of f is above 
the largest fixpoint. 

In order to formalise the above intuition, we rely on tools from abstract inter- 
pretation. In particular, the following pair of functions, which, under a suitable 
condition, form a Galois connection, will play a major role. The left adjoint &œa,s 
takes as input a set Y’ and, for y € Y’, it increases the values a(y) by 6, while 
the right adjoint 7,5 takes as input a function b € MY, b € [a,a ® ô] and checks 
for which parameters y € Y the value b(y) exceeds a(y) by ô. 

We also define [Y ]a, the subset of elements in Y where a(y) is not 1 and thus 
there is a potential to increase, and ĝa, which gives us the minimal such increase. 


Definition 6 (functions to sets, and vice versa). Let M be an MV-algebra 
and let Y be a finite set. Define the set [Y]la = {y € Y | aly) # 1} and ĝa = 
min{a(y) | y € [Y]a} with min@ = 1. 

For 0 C 5 € M we consider the functions agg : 2! l¢ —+ [a,a@6] and 
Ya,5 : la, a $ ô] > 2l- defined, for Y' € 2l- and b € [a,a@ ô], by 


aa,a(¥") =a ôy Ya,6(b) = {y € [Y ]a | bly) © aly) 2 ô}. 


When 6 is sufficiently small, the pair (&a,5, Ya,5) is a Galois connection. 
Qa,6 


Lemma 7 (Galois connection). Let M be an —— 
MV-algebra and Y be a finite set. For0 Æ ô E ôa, olla [a,a ® ô] 
the pair (Qa,5;Ya,5) : 2Yla 4 [a,a@0] is a Galois NK 
connection. Ya,6 


Whenever f is non-expansive, it is easy to see that it restricts to a function 
f :[a,a ® ô| > [f (a), f(a) @ ô] for all 6 € M. 

As mentioned before, a crucial result shows that for all non-expansive func- 
tions, under the assumption that Y,Z are finite and the order on M is total, 
we can suitably approximate the propagation of increases. In order to state this 
result, a useful tool is a notion of approximation of a function. 


Definition 8 ((6,a)-approximation). Let M be an MV-chain, let Y, Z be 
finite sets and let f : MY + MŽ be a non-expansive function. For a € MY and 
any ô € M we define ee : 2l¥le _, lra as ae = YF (a),6 © f © Oa,6- 


Given Y’ C [Y]q, its image pe) C [Z] f(a) is the set of points z € [Z] fa) 
such that ô E f(a @ dy-)(z) © f(a)(z), i.e., the points to which f propagates an 
increase of the function a with value 6 on the subset Y”. 

We first show that i is antitone in the parameter ô, a non-trivial result. 


Lemma 9 (anti-monotonicity). Let M be an MV-chain, let Y, Z be finite 
sets, let f : MY — MŽ be a non-expansive function and let a € MY. For 
0,8 EM, ifOC6 then fË; C fp 


Since ae increases when 6 decreases and there are finitely many such func- 


tions, there must be a value ¿f such that all functions JF ; fr 0c Ef are 
equal. This function is denoted by f# and is called the a-approrimation of f. 
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We next show that indeed, for all non-expansive functions, the a-approxima- 
tion properly approximates the propagation of increases. 


Theorem 10 (approximation of non-expansive functions). Let M be a 
complete MV-chain, let Y,Z be finite sets and let f : MY —> MŽ be a non- 
expansive function. Then there exists if € M, the largest value below or equal to 
Ôa such that fr = Fig for adl 0C, F Cel. 

We denote this function by fi and call it the [a,a ® 6] Ya,8 lY la 
a-approximation of f. Then for all 0C 8 € M: 


s| = ja 
a. Yla O f E f# o Yas 5 
b. ford bg: 6 Gif iff YF(a),6° f = JË oqa. YF(a),6 


Note that if Y = Z and a is a fixpoint of f, i.e., a = f(a), condition (a) above 
corresponds exactly to soundness in the sense of abstract interpretation [13], 
while condition (b) corresponds to (y-)completeness (see also §2). 


4 Proof Rules 


In this section we formalise the proof technique outlined in the introduction for 
showing that a fixpoint is the largest and, more generally, for checking over- 
approximations of greatest fixpoints of non-expansive functions. 

Consider a monotone function f : MY — MY for some finite set Y. We 
first focus on the problem of establishing whether some given fixpoint a of f 
coincides with vf (without explicitly knowing vf), and, in case it does not, 
finding an “improvement”, i.e., a post-fixpoint of f, larger than a. Observe that 
when a is a fixpoint, [Y ]a = [Y] f(a) and thus the a-approximation of f (Thm. 10) 
is an endofunction f# : [Y], > [Y]a. We have the following result, which relies 
on the fact that due to Thm. 10 7,5 preserves fixpoints (of f and f#). 


Theorem 11 (soundness and completeness for fixpoints). Let M be a 
complete MV-chain, Y a finite set and f : MY > MY be a non-expansive func- 
tion. Leta € MY be a fixpoint of f. Then vf# = Ú if and only ifa=vf. 


Whenever a is a fixpoint, but not yet the largest fixpoint of f, we can increase 
it and obtain a post-fixpoint. 


Lemma 12. Let M be a complete MV-chain, f : MY > MY a non-expansive 
function, a € M a fixpoint of f, and let fË be the corresponding a-approximation 
and uf as in Thm. 10. Then a, +(vf#) =a® l)p is a post-fixpoint of f. 


Using these results one can perform an alternative fixpoint iteration where we 
iterate to the largest fixpoint from below: start with a post-fixpoint ao E f(ao) 
(which is clearly below vf) and obtain, by (possibly transfinite) iteration, an 
ascending chain that converges to a, the least fixpoint above ag. Now check 
with Thm. 11 whether Y’ = vf# = 0. If yes, we have reached vf = a. If not, 
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a, (Y’) = a@(t)y~ is again a post-fixpoint (cf. Lem. 12) and we continue this 
procedure until — for some ordinal — we reach the largest fixpoint vf, for which 
we have vf =i. 

Interestingly, the soundness result in Thm. 11 can be generalised to the case 
in which a is a pre-fixpoint instead of a fixpoint. In this case, the a-approximation 
for a function f : MY — M” is a function f# : [Y]a > [Y] f(a) where domain and 
codomain are different, hence it would not be meaningful to look for fixpoints. 
However, as explained below, it can be restricted to an endofunction. 


Theorem 13 (soundness for pre-fixpoints). Let M be a complete MV-chain, 
Y a finite set and f : MY —> MY be a non-expansive function. Given a pre- 
fixpoint a € M” of f, let [YJa=sca) = {y € [Y]a | aly) = f(a)(y)}. Let us define 
ft: Vasa) > Varley as F(Y’) = FEY) AV acpla)s where fË : 2l — 
2l is the a-approximation of f. If vfs =Q thenvf Ea. 


Roughly, the intuition for the above result is the following: the value of f(a) 
on some y might or might not depend “circularly” on the value of a on y itself. 
In a purely inductive setting, without such circular dependencies, wf = vf and 
hence a being a pre-fixpoint means that we over-approximate vf. However, we 
might have vicious cycles, as explained in the introduction, that destroy the 
over-approximation since the values are too low. Now, since we restrict to non- 
expansive functions, it must be the case that there is a cycle, such that all 
elements on this cycle are points where a and f(a) coincide. It is hence sufficient 
to check whether a given pre-fixpoint could be increased on its subpart which 
corresponds to a fixpoint, i.e., the idea is to restrict to [Y]a=f(a). We detect such 
situations by looking for “wiggle room” as for fixpoints. 

Completeness does not generalise to pre-fixpoints, i.e., it is not true that if 
a is a pre-fixpoint of f and vf E a then vf* = Ø. A pre-fixpoint might contain 
slack even though it is above the greatest fixpoint. A counterexample is in Ex. 25. 


The Dual View for Least Fixpoints. The theory developed so far can be easily 
dualised to check under-approximations of least fixpoints. Given a complete MV- 


algebra M = (M,@,0,(-)) and a monotone function f : MY — MY, in order to 
show that a post-fixpoint a € MY satisfies aC uf, we can in fact simply work 


in the dual MV-algebra, M” = (M,1,@,(-),1). It is convenient to formulate 
the conditions using © and the original order. 


We next outline the dualised setting. The notation a0 
for the dual case is obtained from that of the original ee 
(primal) case, exchanging subscripts and superscripts. 9 [Y]* [ao 6,al 
Given a € MY”, define [Y]* = {y € Y | a(y) 4 0} ee 
and 6° = min{a(y) | y € [Y]*}. For 0 € M, we consider yu? 


a,0 


the pair of functions (af, 7%?) : 21" > [ae 6,al 
where, for Y’ € 2l", we let a%®(Y’) = a © Oy: and, for b € fa © 0, a], y*°(b) = 
{u EY | aly) © b(y) 2 0}. 

A function f : MY — M7? is non-expansive in the dual MV-algebra when it 
is in the primal one. Its approximation in the sense of Thm. 10 is denoted fg- 
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Table 1: Basic functions f: MY — M? (constant, reindexing, minimum, maxi- 
mum, average), function composition, disjoint union and the corresponding ap- 
proximations f#: 2l¥le 5 2/4 ra) , fg: oer gli 


Notation: R~*(z) = {y € Y | yRz}, supp(p) = {y € Y | p(y) > 0} for p € D(Y), 
Mina = {y E Y | a(y) minimal}, Maza = {y E Y | a(y) maximal}, a: Y > M 


function f definition of f fz (¥") (above), f4 (Y°) (below) 
Ch f(a) =k Ø 
(k € MŽ) ) 
u* f(a)=aou u (Y^) 
(u:Z>Y) u` (Y') 
minr f(a)(z) = min a(y) {2 € [Z] pa) | Minagi) cy} 
(RCY xZ) {z €[Z]F@ | Mitral ga. VY FOF 
maxr f(a) (2) = maxa(y) {2 € [Z] f(a) | Mazali VY #0} 
(RCY xZ) {ze [Z]}F@ | Matag- EY’) 
avo (M=[0,1], | f(a)(p) = X ply) -aly){p € [D] fca) | supp(p) € Y"} 
Z=DCP(Y)) {p € [D]® | supp(p) C Y'} 
hog f(a) = h(g(a)) hata) ogi (Y") 
(g: MY > M, hg” 0 g&(¥’) 
h: MW > MŽ?) 
Y fi I finite Fla) = filar) |Wierlfidayy, O NAY:) 
(M> MZ, |(z Zi) Bier fig (NY) 
Y = UY; Z= # Zi) 
JEI tel 


Then the dualisations of Thm. 11 and 13 hold, i.e., if a is a fixpoint of f, then 
vfy = 0 iff uf = a, and whenever a is a post-fixpoint, vfl = @ implies a E pf. 


5 (De)Composing Functions and Approximations 


Given a non-expansive function f and a (pre/post-)fixpoint a, it is often non- 
trivial to determine the corresponding approximations. However, non-expansive 
functions enjoy good closure properties (closure under composition, and closure 
under disjoint union) and we will see that the same holds for the corresponding 
approximations. Furthermore it turns out that the functions needed in the ap- 
plications can be obtained from just a few templates. This gives us a toolbox for 
assembling approximations with relative ease. 


Theorem 14. All basic functions listed in Table 1 are non-expansive. Further- 
more non-expansive functions are closed under composition and disjoint union. 
The approximations are the ones listed in the third column of the table. 
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6 Applications 


6.1 Termination Probability 


We start by making the example from the introduction (§1) more formal. Con- 
sider a Markov chain (S,T,7), as defined in the introduction (Fig. 1), where we 
restrict the codomain of 7: S\T — D(S) to D C D(S), where D is finite (to 
ensure that all involved sets are finite). Furthermore let T: [0,1]% — [0,1]°% be 
the function from the introduction whose least fixpoint uT assigns to each state 
its termination probability. 


Lemma 15. The function T can be written as T = (n*oavp)Wc, where k: T > 
[0,1] is the constant function 1 defined only on terminal states. 


From this representation and Thm. 14 it is obvious that 7 is non-expansive. 


Lemma 16. Lett: S — [0,1]. The approximation for T in the dual sense is 
T4: 215 2151" with 


TiS’) = {s € [S]7 | s € TA supp(n(s)) € S'}. 


It is well-known that the function 7 can be tweaked in such a way that it has 
a unique fixpoint, coinciding with 7, by determining all states which cannot 
reach a terminal state and setting their value to zero [3]. Hence fixpoint iteration 
from above does not bring us any added value here. It does however make sense 
to use the proof rule in order to guarantee lower bounds via post-fixpoints. 

Furthermore, termination probability is a special case of the considerably 
more complex stochastic games that will be studied in §7, where the trick of 
modifying the function is not applicable. 


6.2 Behavioural Metrics for Probabilistic Automata 


Before we start discussing probabilistic automata, we first consider the Hausdorff 
and the Kantorovich lifting and the corresponding approximations. 


Hausdorff Lifting. Given a metric on a set X, the Hausdorff metric is obtained 
by lifting the original metric to 2*. Here we define this for general distance 
functions on M, not restricting to metrics. In particular the Hausdorff lifting is 
given by a function H : M*** — M2” *2* where 
H(d)(X1,X2) = maxi mag = d(x1, 22), moy min d(x1,2%2)}. 

An alternative characterisation due to Mémoli [20], also in [4], is more convenient 
for our purposes. If we let u : 2*** — 2* x 2* with u(C) = (m[C], m2[C]), 
where 7,72 are the projections m; : X x X —> X and 7;[C] = {mi(c) | c € C}. 
Then H(d)(X1,X2) = min{max(z,2,)ec d(#1,%2) | C CXXX A u(C) = 
(X1, X2)}. Relying on this, we can obtain the result below, from which we deduce 
that H is non-expansive and construct its approximation as the composition of 
the corresponding functions from Table 1. 
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Lemma 17. H = min, omaxe where maxe: MXXX + M2*** (€ c (XxX)x 
2**X is the “is-element-of”-relation on X x X), miną: M2*** s M2” x2” | 


Kantorovich Lifting. The Kantorovich (also known as Wasserstein) lifting con- 
verts a metric on X to a metric on probability distributions over X. As for the 
Hausdorff lifting, we lift distance functions that are not necessarily metrics. 

Furthermore, in order to ensure finiteness of all the sets involved, we re- 
strict to D C D(X), some finite set of probability distributions over X. A 
coupling of p,q € D is a probability distribution c € D(X x X) whose left 
and right marginals are p,q, i.e., p(z1) = m#(x1) := esex C(41,22) and 
q(z2) = ME(z2) := Xa ex C(®1, 22). The set of all couplings of p,q, denoted 
by 2(p,q), forms a polytope with finitely many vertices [24]. The set of all poly- 
tope vertices that are obtained by coupling any p,q € D is also finite and is 
denoted by VPp C D(X x X). 

The Kantorovich lifting is given by K : [0,1]*** — [0,1]?*? where 


K(d)(p,q) = min 5 c(£1, £2) < d(£1, £2). 


EQ(p, 
ce 2(p,q) (v1,@2)EX XX 


The coupling c can be interpreted as the optimal transport plan to move goods 
from suppliers to customers [30]. Again there is an alternative characterisation, 
which shows non-expansiveness of K: 


Lemma 18. Letu: VPp > DxD, u(c) = (mt, m). Then K = min, oavypp, 
where avyp,: [0,1]*** — [0,1] V72, minu: [0,1] 2 — [0,1]?*?. 


Probabilistic Automata. We now compare our approach with [2], which describes 
the first method for computing behavioural distances for probabilistic automata. 
Although the behavioural distance arises as a least fixpoint, it is in fact better, 
even the only known method, to iterate from above, in order to reach this least 
fixpoint. This is done by guessing and improving couplings, similar to strategy 
iteration discussed later in §7. A major complication, faced in [2], is that the 
procedure can get stuck at a fixpoint which is not the least and one has to 
determine that this is the case and decrease the current candidate. In fact this 
paper was our inspiration to generalise this technique to a more general setting. 

A probabilistic automaton is a tuple A = (S, L, n, £), where S is a non-empty 
finite set of states, L is a finite set of labels, 7: S > 2?(9) assigns finite sets of 
probability distributions to states and £: S — L is a labelling function. (In the 
following we again replace D(S) by a finite subset D.) 

The probabilistic bisimilarity pseudometrics is the least fixpoint of the func- 
tion M: [0,1]°*° — [0,1]9%S where for d: S x S — [0,1], s,t € S: 


l if (s) + L(t) 
H(K(d))(n(s),n(t)) otherwise 


where H is the Hausdorff lifting (for M = [0, 1]) and K is the Kantorovich lifting 
defined earlier. Now assume that d is a fixpoint of M, i.e., d = M(d). In order 
to check whether d = uf, [2] adapts the notion of a self-closed relation from [16]. 


M(d)(s,t) = 
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Definition 19 ([2]). A relation M C S x S is self-closed wrt. d = M(d) if, 
whenever s M t, then 


— L(s) = L(t) and d(s,t) > 0, 
— ifp € n(s) and d(s,t) = ming en) K(d)(p, q), then there exists q € n(t) and 


c E (p,q) such that d(s,t) = X u ves du, v) + c(u, v) and supp(c) C M, 
— ifq E€ n(t) and d(s,t) = minyen(s) K(d)(p',q), then there exists p € n(s) and 
c E N(p,q) such that d(s,t) = X`, ves dlu, v) : c(u,v) and supp(c) C M. 


The largest self-closed relation, denoted by %4 is empty if and only if d = 
uf [2]. We now investigate the relation between self-closed relations and post- 
fixpoints of approximations. For this we will first show that M can be composed 
from non-expansive functions, which proves that it is indeed non-expansive. Fur- 
thermore, this decomposition will help in the comparison. 


Lemma 20. The fixpoint function M characterizing probabilistic bisimilarity 
pseudometrics can be written as: 


M = max, o(((n x n)* o H o K) Yc) 


where p: (S x S) W (S x S) > (S x S) with 


p((s,t),4 
l: SxS — [0,1] is defined as I(s,t) = 0 if (s) = £ 


3 j) — 
(t) andl(s, 


(s,t).4 Furthermore 
t 


) = 1 ife(s) # Ut). 


Hence M is a composition of non-expansive functions and thus non-expansive 
itself. We do not spell out M4, explicitly, but instead show how it is related to 
self-closed relations. 


Proposition 21. Letd: Sx S — [0,1] where d = M(d). Then MY: gisxs]* _, 
2iSxsl" where [S x S]4 = {(s,t) € S x S | d(s,t) > 0}. 

Then M is a self-closed relation wrt. d if and only if M C [S x S]? and M 
is a post-fixpoint of M43. 


6.3 Bisimilarity 


In order to define standard bisimilarity we use a variant G of the Hausdorff lifting 
H from §6.2 where max and min are swapped and which we denote by G. 

Now we can define the fixpoint function for bisimilarity and its corresponding 
approximation. For simplicity we consider unlabelled transition systems, but it 
would be straightforward to handle labelled transitions. 

Let X be a finite set of states and 7: X —> 2* a function that assigns a set 
of successors n(x) to a state x € X. For the fixpoint function for bisimilarity 
B : {0,1}*** — {0,1}*** we use the Hausdorff lifting G with M = {0,1}. 


Lemma 22. Bisimilarity on 7 is the greatest fixpoint of B = (n x n)* oG. 


4 Here we use į € {0,1} as indices to distinguish the elements in the disjoint union. 
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Since we are interested in the greatest fixpoint, we are working in the primal 
sense. Bisimulation relations are represented by their characteristic functions 
d: X x X > {0,1}, in fact the corresponding relation can be obtained by taking 
the complement of [X x X]q = {(x1, £2) E€ Xı x Xə | d(x1, £2) = 0}. 


Lemma 23. Let d: X x X — {0,1}. The approximation for the bisimilarity 
function B in the primal sense is BÝ: 21X xX]a _, 2X x Xle with 


BÝ (R) = {(21, £2) € [X x X]ga) | 
Vy € n(21)sy2 € n(x2)((y1, y2) Z [X x X]a V (y1, y2) € R)) 
AVy2 € n(£2)3y1 € n(x1)((y1, Y2) Z [X x X]a V (yr, Y2) € R)} 


We conclude this section by discussing how this view on bisimilarity can 
be useful: first, it again opens up the possibility to compute bisimilarity — a 
greatest fixpoint — by iterating from below, through smaller fixpoints. This could 
potentially be useful if it is easy to compute the least fixpoint of B inductively 
and continue from there. 

Furthermore, we obtain a technique for witnessing non-bisimilarity of states. 
While this can also be done by exhibiting a distinguishing modal formula [17,9] 
or by a winning strategy for the spoiler in the bisimulation game [27], to our 
knowledge there is no known method that does this directly, based on the defi- 
nition of bisimilarity. 

With our technique however, we can witness non-bisimilarity of two states 
£1, £2 E€ X by presenting a pre-fixpoint d (i.e., B(d) < d) such that d(x1, £2) = 0 
(equivalent to (x1, £2) € [X x X]a) and vBÝ = 0), since this implies vB (x1, £2) < 
d(x1,%2) = 0 by our proof rule. 

There are two issues to discuss: first, how can we characterise a pre-fixpoint 
of B (which is quite unusual, since bisimulations are post-fixpoints)? In fact, the 
condition B(d) < d can be rewritten to: for all (x1, £2) € [X x X]a there exists 
yı € (a1) such that for all yo € n(x2) we have (y1, y2) € [X x X]a (or vice 
versa). Second, at first sight it does not seem as if we gained anything since we 
still have to do a fixpoint computation on relations. However, the carrier set is 
[X x X]a, i.e., a set of non-bisimilarity witnesses and this set can be small even 
though X might be large. 


Example 24. We consider the transition system depicted below. 
Our aim is to construct a witness showing that 


x,u are not bisimilar. This witness is a function 
d: X x X > {0,1} with d(z,u) = 0 = d(y,u) 
and for all other pairs the value is 1. 


Hence [X x X]g=s(a) = [X x X]a = {(2,u), (y,u)} and it is easy to check 
that d is a pre-fixpoint of B and that vB} = ee we iterate over {(x, u), (y, u)} 
and first remove (y, u) (since y has no See e and then (x,u). This implies 
that vB < d and hence vB(x,u) = 0, which means that x,u are not bisimilar. 
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Example 25. We modify Ex. 24 and consider a function d where d(x,u) = 0 
and all other values are 1. Again d is a pre-fixpoint of B and vB < d (since 
only reflexive pairs are in the bisimilarity). However vB* 4 Ø, since {(x,u)} is a 
post-fixpoint. This is a counterexample to completeness discussed after Thm. 13. 

Intuively speaking, the states y, u over-approximate and claim that they are 
bisimilar, although they are not. (This is permissible for a pre-fixpoint.) This 
tricks x, u into thinking that there is some wiggle room and that one can increase 
the value of (x, u). This is true, but only because of the limited, local view, since 
the “true” value of (y, u) is 0. 


7 Simple Stochastic Games 


Introduction to Simple Stochastic Games. In this section we show how our tech- 
niques can be applied to simple stochastic games [11,10]. A simple stochastic 
game is a state-based two-player game where the two players, Min and Max, 
each own a subset of states they control, for which they can choose the succes- 
sor. The system also contains sink states with an assigned payoff and averaging 
states which randomly choose their successor based on a given probability dis- 
tribution. The goal of Min is to minimise and the goal of Max to maximise the 
payoff. 

Simple stochastic games are an important type of games that subsume parity 
games and the computation of behavioural distances for probabilistic automata 
(cf. §6.2, [2]). The associated decision problem is known to lie in NPMcoNP, but 
it is an open question whether it is contained in P. There are known randomised 
subexponential algorithms [7]. 

It has been shown that it is sufficient to consider positional strategies, i.e., 
strategies where the choice of the player is only dependent on the current state. 
The expected payofts for each state form a so-called value vector and can be 
obtained as the least solution of a fixpoint equation (see below). 


A simple stochastic game is given by a finite set V of nodes, partitioned into 
MIN, MAX, AV (average) and SINK, and the following data: nmin : MIN > 2”, 
Nmax : MAX — 2” (successor functions for Min and Max nodes), jay : AV + D 
(probability distributions, where D C D(V) finite) and w : SINK — [0,1] 
(weights of sink nodes). 

The fixpoint function V: [0,1]” — [0,1]” is defined below for a: V > [0,1] 
and v €V: 


MINY Enmin (v) a(v') v € MIN 

MaXyeEn,,,,.(v) a(v’) v € MAX 
V(a)(v) = ae ee 

Vviev Mav(v)(v') -a(v') ve AV 

w(v) v € SINK 


The least fixpoint of V specifies the average payoff for all nodes when Min and 
Max play optimally. In an infinite game the payoff is 0. In order to avoid infinite 
games and guarantee uniqueness of the fixpoint, many authors [18,10,29] restrict 
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to stopping games, which are guaranteed to terminate for every pair of Min/Max- 
strategies. Here we deal with general games where more than one fixpoint may 
exist. Such a scenario has been studied in [19], which considers value iteration 
to under- and over-approximate the value vector. The over-approximation faces 
challenges with cyclic dependencies, similar to the vicious cycles described ear- 
lier. Here we focus on strategy iteration, which is usually less efficient than value 
iteration, but yields a precise result instead of approximating it. 


Example 26. We consider the game depicted below. Here min is a Min node with 
min(min) = {1,av}, max is a Max node with mnax(max) = {e,av}, 1 is a sink 
node with payoff 1, e is a sink node with some small payoff £ € (0,1) and av is 
an average node which transitions to both min and max with probability 5. 
Min should choose av as successor since a payoff of 1 is bad for Min. Given 
this choice of Min, Max should not declare av as successor since this would create 
an infinite play and hence the payoff is 0. Therefore Max has to choose € and be 
content with a payoff of e, which is achieved from all nodes different from 1. 


i i 


In order to be able to determine the approximation of V and to apply our 
techniques, we consider the following equivalent definition. 


Lemma 27. V = (77, 0 mine) W (nhay 0 Maxe) W (NX, o avp) © Cw, where € C 
V x 2” is the “is-element-of”-relation on V. 


As a composition of non-expansive functions, V is non-expansive as well. Since 
we are interested in the least fixpoint we work in the dual sense and obtain the 
following approximation, which intuitively says: we can decrease a value at node 
v by a constant only if, in the case of a Min node, we decrease the value of one 
successor where the minimum is reached, in the case of a Max node, we decrease 
the values of all successors where the maximum is reached, and in the case of an 
average node, we decrease the values of all successors. 


Lemma 28. Let a: V — [0,1]. The approximation for the value iteration func- 
tion V in the dual sense is V} : 201 5 2lVl" with 


V4(V’) = {v € [VY | (v € MIN A Mina, WV’ FO) V 
(v € MAX A Mata, wy CV’) V (v € AV A supp(nav(v)) CV’) } 


Strategy Iteration from Above and Below. We describe two algorithms based on 
strategy iteration, first introduced by Hoffman and Karp in [18], that are novel, 
as far as we know. The first iterates to the least fixpoint from above and uses 
the techniques described in §4. The second iterates from below: the role of our 
results is not directly visible in the code of the algorithm, but its non-trivial 
correctness proof is based on the proof rule introduced earlier. 
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Determine pV (from above) 


Determine uY 


1. Guess a Min-strategy 7, i:=0 (from below) 
PO = Ves 
ei) ALO AC 

3. TOD = SWmin( T”, a") 1. Guess a Max-strategy 0, 

4. If TËT) 47 i:=i+1 then goto 2. fo 

5. Compute V’ = vV%, where a = a o a = UV O 

6. If V’ = Ø then stop and return a®. 3. oF) = swmax(o®,a®) 
Otherwise set a@+)) := a — (th)v', 4. Ifo G+) # o set i: itl 
pe) = smin(T™, er = 142, and goto 2. Otherwise stop 
goto 2. and return a, 
(a) Strategy iteration from above (b) Strategy iteration from below 


Fig. 2: Strategy iteration from above and below 


We first recap the underlying notions: a Min-strategy is a mapping T: MIN > 
V such that T(v) E€ mmin(v) for every v € MIN. With such a strategy, Min 
decides to always leave a node v via 7(v). Analogously o: MAX — V fixes 
a Max-strategy. Fixing a strategy for either player induces a modified value 
function. If r is a Min-strategy, we obtain V, which is defined exactly as V but 
for v € MIN where we set V,(a)(v) = a(7(v)). Analogously, for o a Max-strategy, 
Vo is obtained by setting V,(a)(v) = a(o(v)) when v € MAX. If both players 
fix their strategies, the game reduces to a Markov chain. 

In order to describe our algorithms we also need the notion of a switch. 
Assume that 7 is a Min-strategy and let a be a (pre-)fixpoint of V,. Min can now 
potentially improve her strategy for nodes v € MIN where minena (v) a(U’) < 
a(r(v)), called switch nodes. This results in a Min-strategy T’ = swmin(T,@), 
where® 7/(v) = argminyey,,(v) a (v’) for a switch node v and 7’, T agree 
otherwise. Also, sWmax(g,@) is defined analogously for Max strategies. 

Now strategy iteration from above works as described in Figure 2a. The 
computation of uVe) in the second step intuitively means that Max chooses 
his best answering strategy and we compute the least fixpoint based on this 
answering strategy. At some point no further switches are possible and we have 
reached a fixpoint a, which need not yet be the least fixpoint. Hence we use 
the techniques from §4 to decrease a and obtain a new pre-fixpoint a+), from 
which we can continue. The correctness of this procedure partially follows from 
Thm. 11 and Lem. 12, however we also need to show the following: first, we 
can compute a” = uV o efficiently by solving a linear program (cf. Lem. 29) 
by adapting [11]. Second, the chain of the a“ decreases, which means that the 
algorithm will eventually terminate (cf. Thm. 30). 


5 If the minimum is achieved in several nodes, Min simply chooses one of them. How- 
ever, she will only switch if this strictly improves the value. 
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Strategy iteration from below is given in Figure 2b. At first sight, the algo- 
rithm looks simpler than strategy iteration from above, since we do not have 
to check whether we have already reached vV, reduce and continue from there. 
However, in this case the computation of “V,c«) via a linear program is more 
involved (cf. Lem. 29), since we have to pre-compute (via greatest fixpoint it- 
eration over 2”) the nodes where Min can force a cycle based on the current 
strategy of Max, thus obtaining payoff 0. 

This algorithm does not directly use our technique but we can use our proof 
rules to prove the correctness of the algorithm (Thm. 30). In particular, the 
proof that the sequence a) increases is quite involved: we have to show that 
a® = WV < UVpa+) = a+). We prove this, using our proof rules, by 
showing that a“ is below the least fixpoint of Vjc41). 

The algorithm generalises strategy iteration by Hoffman and Karp [18]. Note 
that we cannot simply adapt their proof, since we do not assume that the game 
is stopping, which is a crucial ingredient. 


Lemma 29. The least fixpoints of V, and Vs can be determined by solving linear 
programs. 


Theorem 30. Strategy iteration from above and below both terminate and com- 
pute the least fixpoint of V. 


Example 31. Ex. 26 is well suited to explain our two algorithms. 

Starting with strategy iteration from above, we may guess 7T)(min) = 1. 
In this case, Max would choose av as successor and we would reach a fixpoint, 
where each node except for € is associated with a payoff of 1. Next, our algorithm 
would detect the vicious cycle formed by min, av and max. We can reduce the 
values in this vicious cycle and reach the correct payoff values for each node. 

For strategy iteration from below assume that o(°)(max) = av. Given this 
strategy of Max, Min can force the play to stay in a cycle formed by min, av and 
max. Thus, the payoff achieved by the Max strategy 0 and an optimal play by 
Min would be 0 for each of these nodes. In the next iteration Max switches and 
chooses € as successor, i.e. øl) (max) = e, which results in the correct values. 


We implemented strategy iteration from above and below and classical Kleene 
iteration in MATLAB. In Kleene iteration we terminate with a tolerance of 
10714, i.e., we stop if the change from one iteration to the next is below this 
bound. We tested the algorithms on random stochastic games and found that 
Kleene iteration is always the fastest, but only converges and it is known that 
the rate of convergence can be exponentially slow [10]. Strategy iteration from 
below is usually slightly faster than strategy iteration from above. More details 
can be found in the full version [5]. 


8 Conclusion 


It is well-known that several computations in the context of system verification 
can be performed by various forms of fixpoint iteration and it is worthwhile to 
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study such methods at a high level of abstraction, typically in the setting of 
complete lattices and monotone functions. Going beyond the classical results 
by Tarski [28], combination of fixpoint iteration with approximations [14,6] and 
with up-to techniques [25] has proven to be successful. Here we treated a more 
specific setting, where the carrier set consists of functions from a finite set into an 
MV-chain and the fixpoint functions are non-expansive (and hence monotone), 
and introduced a novel technique to obtain upper bounds for greatest and lower 
bounds for least fixpoints, including associated algorithms. Such techniques are 
widely applicable to a wide range of examples and so far they have been studied 
only in quite specific scenarios, such as in [2,16,19]. 

In the future we plan to lift some of the restrictions of our approach. First, an 
extension to an infinite domain Y would of course be desirable, but since several 
of our results currently depend on finiteness, such a generalisation does not seem 
to be easy. Another restriction, to total orders, seems easier to lift: in particular, 
if the partially ordered MV-algebra M is of the form M? where J is a finite 
index set and M an MV-chain. (E.g., finite Boolean algebras are of this type.) 
Then our function space is MY = (M‘)¥ ~MY*! and we have reduced to the 
setting presented in this paper. This will allow us to handle featured transition 
systems [12] where transitions are equipped with boolean formulas. We also plan 
to determine the largest possible increase that can be added to a fixpoint that 
is not yet the greatest fixpoint in order to maximally speed up fixpoint iteration 
from below (this might be larger than 4f). 

There are several other application examples that did not fit into this paper, 
but that can also be handled by our approach: for instance behavioural distances 
for metric transition systems [15] and other types of systems [4]. We also plan 
to investigate other types of games, such as energy games [8]. While here we in- 
troduced strategy iteration techniques for simple stochastic games, we also want 
to check whether we can provide an improvement to value iteration techniques, 
combining our approach with [19]. 

We also plan to study whether some examples can be handled with other 
types of Galois connections: here we used an additive variant, but looking at 
multiplicative variants (multiplication by a constant factor) might also be fruit- 
ful. 


Acknowledgements: We are grateful to Ichiro Hasuo for making us aware of 
stochastic games as application domain. Furthermore we would like to thank 
Matthias Kuntz and Timo Matt for their help with experiments. 


References 


1. Bacci, G., Bacci, G., Larsen, K.G., Mardare, R.: On-the-fly exact computation of 
bisimilarity distances. Logical Methods in Computer Science 13(2:13), 1-25 (2017) 

2. Bacci, G., Bacci, G., Larsen, K.G., Mardare, R., Tang, Q., van Breugel, F.: Com- 
puting probabilistic bisimilarity distances for probabilistic automata. In: Proc. of 
CONCUR ’19. LIPIcs, vol. 140, pp. 9:1-9:17. Schloss Dagstuhl — Leibniz Center 
for Informatics (2019) 


80 


10. 


11. 


12. 


13. 


14. 


15. 


16. 


17. 


18. 


19. 


20. 


21. 


22: 


23. 


P. Baldan et al. 


Baier, C., Katoen, J.P.: Principles of Model Checking. MIT Press (2008) 

Baldan, P., Bonchi, F., Kerstan, H., König, B.: Coalgebraic behavioral metrics. 
Logical Methods in Computer Science 14(3) (2018), selected Papers of the 6th 
Conference on Algebra and Coalgebra in Computer Science (CALCO 2015) 
Baldan, P., Eggert, R., König, B., Padoan, T.: Fixpoint theory — upside down 
(2021), https ://arxiv.org/abs/2101.08184, arXiv:2101.08184 

Baldan, P., König, B., Padoan, T.: Abstraction, up-to techniques and games for 
systems of fixpoint equations. In: Proc. of CONCUR ’20. LIPIcs, vol. 171, pp. 
25:1-25:20. Schloss Dagstuhl — Leibniz Center for Informatics (2020), https: // 
doi.org/10.4230/LIPIcs.CONCUR. 2020.25 

Bjorklund, H., Vorobyov, S.: Combinatorial structure and randomized subexponen- 
tial algorithms for infinite games. Theoretical Computer Science 349(3), 347-360 
(2005) 

Brim, L., Chaloupka, J., Doyen, L., Gentilini, R., Raskin, J.F.: Faster algorithms 
for mean-payoff games. Formal Methods in System Design 38(2), 97-118 (2011) 
Cleaveland, R.: On automatically explaining bisimulation inequivalence. In: Proc. 
of CAV 790. pp. 364-372. Springer (1990), LNCS 531 

Condon, A.: On algorithms for simple stochastic games. In: Advances In Compu- 
tational Complexity Theory. DIMACS Series in Discrete Mathematics and Theo- 
retical Computer Science, vol. 13, pp. 51-71 (1990) 

Condon, A.: The complexity of stochastic games. Information and Computation 
96(2), 203-224 (1992). https://doi.org/10.1016/0890-5401(92)90048-K, https: // 
doi.org/10.1016/0890-5401 (92) 90048-K 

Cordy, M., Classen, A., Perrouin, G., Schobbens, P.Y., Heymans, P., Legay, A.: 
Simulation-based abstractions for software product-line model checking. In: Proc. 
of ICSE 712 (International Conference on Software Engineering). pp. 672-682. 
IEEE (2012) 

Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static 
analysis of programs by construction or approximation of fixpoints. In: Proc. of 
POPL ’77 (Los Angeles, California). pp. 238-252. ACM (1977) 

Cousot, P., Cousot, R.: Temporal abstract interpretation. In: Wegman, M.N., Reps, 
T.W. (eds.) Proc. of POPL ’00. pp. 12-25. ACM (2000) 

de Alfaro, L., Faella, M., Stoelinga, M.: Linear and branching system metrics. IEEE 
Transactions on Software Engineering 35(2), 258-273 (2009) 

Fu, H.: Computing game metrics on Markov decision processes. In: Proc. of ICALP 
12, Part II. pp. 227-238. Springer (2012), LNCS 7392 

Hennessy, M., Milner, R.: Algebraic laws for nondeterminism and concurrency. 
Journal of the ACM 32, 137-161 (1985) 

Karp, R.M., Hoffman, A.J.: On nonterminating stochastic games. Management 
Science 12(5), 359-370 (1966) 

Kelmendi, E., Kramer, J., Křetínský, J., Weininger, M.: Value iteration for simple 
stochastic games: Stopping criterion and learning algorithm. In: Proc. of CAV ’18. 
pp. 623-642. Springer (2018), LNCS 10981 

Mémoli, F.: Gromoy-Wasserstein distances and the metric approach to object 
matching. Foundations of Computational Mathematics 11(4), 417—487 (2011) 
Mundici, D.: MV-algebras. A short tutorial, available at http: //www.matematica. 
uns.edu.ar/IXCongresoMonteiro/Comunicaciones/Mundici_tutorial.pdf 
Mundici, D.: Advanced Lukasiewicz calculus and MV-algebras, Trends in Logic, 
vol. 35. Springer (2011) 

Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer 
(2010) 


24. 


25. 


26. 


Dil 


28. 


29. 


30. 


Fixpoint Theory — Upside Down 81 


Peyré, G., Cuturi, M.: Computational optimal transport (2020), https://arxiv. 
org/abs/2009.14817, arXiv:1803.00567 

Pous, D.: Complete lattices and up-to techniques. In: Proc. of APLAS ’07. pp. 
351-366. Springer (2007), LNCS 4807 

Sangiorgi, D.: Introduction to Bisimulation and Coinduction. Cambridge Univer- 
sity Press (2011) 

Stirling, C.: Bisimulation, model checking and other games. Notes for Mathfit 
instructional meeting on games and computation, Edinburgh (June 1997), http: 
//nomepages.inf.ed.ac.uk/cps/mathfit .pdf 

Tarski, A.: A lattice-theoretical theorem and its applications. Pacific Journal of 
Mathematics 5, 285-309 (1955) 

Tripathi, R., Valkanova, E., Kumar, V.A.: On strategy improvement algorithms 
for simple stochastic games. Journal of Discrete Algorithms 9, 263-278 (2011) 
Villani, C.: Optimal Transport — Old and New, A Series of Comprehensive Studies 
in Mathematics, vol. 338. Springer (2009) 


Open Access This chapter is licensed under the terms of the Creative Commons 
Attribution 4.0 International License (http://creativecommons.org/licenses/by/ 


4.0/), which permits use, sharing, adaptation, distribution and reproduction in any 


medium or format, as long as you give appropriate credit to the original author(s) and 


the source, provide a link to the Creative Commons license and indicate if changes 


were made. 


The images or other third party material in this chapter are included in the chapter’s 


Creative Commons license, unless indicated otherwise in a credit line to the material. If 


material is not included in the chapter’s Creative Commons license and your intended 


use is not permitted by statutory regulation or exceeds the permitted use, you will need 


to obtain permission directly from the copyright holder. 


®) 


Check for 
updates 


“Most of” leads to undecidability: Failure of 
adding frequencies to LTL 


Bartosz Bednarczyk&!?® and Jakub Michaliszyn?® 


1 Computational Logic Group, Technische Universitat Dresden, Dresden, Germany 
? Institute of Computer Science, University of Wroclaw, Wroclaw, Poland 
{bartosz.bednarczyk, jakub.michaliszyn}@cs.uni.wroc.pl 


Abstract. Linear Temporal Logic (LTL) interpreted on finite traces is 
a robust specification framework popular in formal verification. However, 
despite the high interest in the logic in recent years, the topic of their 
quantitative extensions is not yet fully explored. The main goal of this 
work is to study the effect of adding weak forms of percentage constraints 
(e.g. that most of the positions in the past satisfy a given condition, or 
that o is the most-frequent letter occurring in the past) to fragments of 
LTL. Such extensions could potentially be used for the verification of 
influence networks or statistical reasoning. Unfortunately, as we prove in 
the paper, it turns out that percentage extensions of even tiny fragments 
of LTL have undecidable satisfiability and model-checking problems. Our 
undecidability proofs not only sharpen most of the undecidability results 
on logics with arithmetics interpreted on words known from the literature, 
but also are fairly simple. We also show that the undecidability can be 
avoided by restricting the allowed usage of the negation, and discuss how 
the undecidability results transfer to first-order logic on words. 


1 Introduction 


Linear Temporal Logic [29] (LTL) interpreted on finite traces is a robust logical 
framework used in formal verification [{1,18,19]. However, LTL is not perfect: 
it can express whether some event happens or not, but it cannot provide any 
insight on how frequently such an event occurs or for how long such an event took 
place. In many practical applications, such quantitative information is important: 
think of optimising a server based on how frequently it receives messages or 
optimising energy consumption knowing for how long a system is usually used 
in rush hours. Nevertheless, there is a solution: one can achieve such goals by 
adding quantitative features to LTL. 

It is known that adding quantitative operators to LTL often leads to un- 
decidability. The proofs, however, typically involve operators such as “next” or 
“until”, and are often quite complicated (see the discussion on the related work 
below). In this work, we study the logic LTLp, a fragment of LTL where the 
only allowed temporal operator is “sometimes in the future” F. We extend its 
language with two types of operators, sharing a similar “percentage” flavour: with 
the Past-Majority PM ọ operator (stating that most of the past positions satisfy 
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a formula y), and with the Most-Frequent-Letter MFL o predicates (meaning 
that the letter o is among the most frequent letters appearing in the past). These 
operators can be used to express a number of interesting properties, such as if 
a process failed to enter the critical section, then the other process was in the 
critical section the majority of time. Of course, for practical applications, we could 
also consider richer languages, such as parametrised versions of these operators, 
e.g. Stating that at least a fraction p of positions in the past satisfies a formula. 
However, we show, as our main result, that even these very simple percentage 
operators raise undecidability when combined with F. 

To make the undecidability proof for both operators similar, we define an 
intermediate operator, Half , which is satisfied when exactly half of the past 
positions satisfy a given formula. The Half operator can be expressed easily 
with PM, but not with MFL — we show, however, that we can simulate it to an 
extent enough to show the undecidability. Our proof method relies on enforcing 
a model to be in the language ({wht}{shdw})*, for some letters wht and shdw, 
which a priori seems to be impossible without the “next” operator. Then, thanks 
to the specific shape of the models, we show that one can “transfer” the truth of 
certain formulae from positions into their successors, hence the “next” operator 
can be partially expressed. With a combination of these two ideas, we show that 
it is possible to write equicardinality statements in the logic. Finally, we perform 
a reduction from the reachability problem of Two-counter Machines [26]. In the 
reduction, the equicardinality statements will be responsible for handling zero- 
tests. The idea of transferring predicates from each position into its successor 
will be used for switching the machine into its next configuration. 

The presented undecidability proof of LTL with percentage operators can 
be adjusted to extensions of fragments of first-order logic on finite words. We 
show that FO? [<], ie. the two-variable fragment of first-order logic admitting 
the majority quantifier M and linear order predicate < has an undecidable sat- 
isfiability problem. Here the meaning of a formula Ma.y(z, y) is that at least 
a half of possible interpretations of x satisfies y(x, y). Our result sharpens an 
existing undecidability proof for (full) FO with Majority from [23] (since in our 
case the number of variables is limited) but also FO?[<, succ] with arithmetics 
from [25] (since our counting mechanism is weaker and the successor relation 
succ is disallowed). On the positive side, we show that the undecidability heavily 
depends on the presence of the negation in front of the percentage operators. 
To do so, we introduce a logic, extending the full LTL, in which the usage of 
percentage operators is possible, but suitably restricted. For this logic, we show 
that the satisfiability problem is decidable. 

All the above-mentioned results can be easily extended to the model checking 
problem, where the question is whether a given Kripke structure satisfies a given 
formula. The full version of the paper is available on arXiv [4]. 


1.1 Related work 


The first paper studying the addition of quantitative features to logic was [21], 
where the authors proved undecidability of Weak MSO with Cardinalities. They 
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also developed a model of so-called Parikh Automaton, a finite automaton im- 
posing a semi-linear constraint on the set of its final configurations. Such an 
automaton was successfully used to decide logics with counting as well as logics 
on data words [27,17]. Its expressiveness was studied in [11]. 

Another idea in the realm of quantitative features is availability languages [20], 
which extend regular expressions by numerical occurrence constraints on the let- 
ters. However, their high expressivity leads to undecidable emptiness problems. 
Weak forms of arithmetics have also attracted interest from researchers working 
on temporal logics. Several extensions of LTL were studied, including extensions 
with counting [24], periodicity constraints [14], accumulative values [7], discount- 
ing [2], averaging [9] and frequency constraints [8]. A lot of work was done to 
understand LTL with timed constraints, e.g. a metric LTL was considered in [28]. 
However, its complexity is high and its extensions are undecidable [3]. 

Arithmetical constraints can also be added to the First-Order logic (FO) 
on words via so-called counting quantifiers. It is known that weak MSO on 
words is decidable with threshold counting and modulo-counting (thanks to the 
famous Biichi theorem [10]), while even FO on words with percentage quantifiers 
becomes undecidable [23]. Extensions of fragments of FO on words are often 
decidable, e.g. the two-variable fragment FO? with counting [12] or FO? with 
modulo-counting [25]. The investigation of decidable extensions of FO? is limited 
by the undecidability of FO? on words with Presburger constraints [25]. 

Among the above-mentioned logics, the formalisms of this paper are most 
similar to Frequency LTL [8]. The satisfiability problem for Frequency LTL was 
claimed to be undecidable, but the undecidability proof as presented in [8] is 
bugged (see [9, Sec. 8] for discussion). It was mentioned in [9] that the unde- 
cidability proof from [8] can be patched, but no correction was published so far. 
Our paper not only provides a valid proof but also sharpens the result, as we 
use a way less expressive language (e.g. we are allowed to use neither the “until” 
operator nor the “next” operator). We also believe that our proof is simpler. 
The second-closest formalism to ours is average-LTL [9]. The main difference is 
that the averages of average-LTL are computed based on the future, while in 
our paper, the averages are based on the past. The second difference, as in the 
previous case, is that their undecidability proof uses more expressive operators, 
such as the “until” operator. 


2 Preliminaries 


We recall definitions concerning logics on words and temporal logics (cf. [15]). 


Words and logics. Let AP be a countably-infinite set of atomic propositions, 
called here also letters. A finite word mw € (2^P)* is a non-empty finite sequence 
of positions labelled with sets of letters from AP. A set of words is called a 
language. Given a word w, we denote its i-th position with w; (where the first 
position is two) and its prefix up to the i-th position with tw<;. We usually use 
the letters p, q,i,j to denote positions. With |w| we denote the length of tv. 
The syntax of LTLy, a fragment of LTL with only the finally operator F , is 
defined with the grammar: y, y’ := a (witha € AP) | ~y | pAy’ | Fy. 
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The satisfaction relation H is defined for words as follows: 


w,i =a ifa € tv; 

w,i = ny if not w,i = p 

w, i H p1 ^p2if m,i H yı and w,i- ye 
w,iH=Fo if Jj such that |w] > 7 > iand w, j H ọ. 


We write w F y if w,0 H vy. The usual Boolean connectives: T, L, V, =>, 
can be defined, hence we will use them as abbreviations. Additionally, we use 
the globally operator G y := ~F -y to speak about events happening globally in 
the future. 


Percentage extension. In our investigation, percentage operators PM, MFL and 
Half are added to LT Lp. 

The operator PM ọ (read as: majority in the past) is satisfied if at least half 
of the positions in the past satisfy ọ: 


wi E PM gif |{j <i: mw, jH o} i 


For example, the formula G (r ~g) \GPMr AGF (g APMg9) is true 
over words where each request r is eventually fulfilled by a grant g, and where 
each grant corresponds to at least one request. This can be also seen as the 
language of balanced parentheses, showing that with the operator PM one can 
define properties that are not regular. 

The operator MFL o (read as: most-frequent letter in the past), for o € AP, 
is satisfied if ø is among the letters with the highest number of appearances in 
the past, i.e. 


w,i H MEL o if Vr € AP. {j < i: w, j Hoal > Hj <i: w, j Hr} 


For example, the formula G~(r Ag) \G MFL r AGF (g ^A MEL g) again 
defines words where each request is eventually fulfilled, but this time the formula 
allows for states where nothing happens (i.e. when both r and g are false). 

The last operator, Half is used to simplify the forthcoming undecidability 
proofs. This operator can be satisfied only at even positions, and its intended 
meaning is exactly half of the past positions satisfy a given formula. 


to,i Half yif {j <i: w, j KE y}| = i 


It is not difficult to see that the operator Half y can be defined in terms of the 
past-majority operator as PM (vy) A PM (~ọ) and that Half y can be satisfied 
only at even positions. 

In the next sections, we distinguish different logics by enumerating the allowed 
operators in the subscripts, e.g. LTLf pm or LTLf MFL. 


Computational problems Kripke structures are commonly used in verification to 
formalise abstract models. A Kripke structure is composed of a finite set S of 
states, a set of initial states I C S, a total transition relation R C S x S, anda 
finite labelling function £: S —» 24°. A trace of a Kripke structure is a finite word 
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(so), €(s1),---,€(sz) for any so, 51,...,5, satisfying so € I and (s;,8;11;) E€ R 
for alli < k. 

The model-checking problem amounts to checking whether some trace of a 
given Kripke structure satisfies a given formula y. In the satisfiability problem, 
or simply in SAT, we check whether an input formula y has a model, i.e. a finite 
word w witnessing w = g. 


3 Playing with Half Operator 


Before we jump into the encoding of Minsky machines, we present some exercises 
to help the reader understand the expressive power of the logic LTLf Haire. The 
tools established in the exercises play a vital role in the undecidability proofs 
provided in the following section. 

We start from the definition of shadowy words. 


Definition 1. Let wht and shdw be fixed distinct atomic propositions from AP. 
A word to is shadowy if its length is even, all even positions of w are labelled 
with wht, all odd positions of to are labelled with shdw, and no position is labelled 
with both letters. 


OS AOR TOR 


We will call the positions satisfying wht simply white and their successors satis- 
fying shdw simply their shadows. 

The following exercise is simple in LTL, but becomes much more challenging 
without the X operator. 

Exercise 1. There is an LT Lp aie formula Yshadowy defining shadowy words. 
Solution. We start with the “base” formula vy}, := wht A G (wht © —shdw) A 
G (wht + F shdw), which states that the position 0 is labelled with wht, each 
position is labelled with exactly one letter among wht, shdw and that every white 
eventually sees a shadow in the future. What remains to be done is to ensure 
that only odd positions are shadows and that only even positions are white. 

In order to do that, we employ the formula $5}, := G ((Half wht) © wht). 
Since Half is never satisfied at odd positions, the formula y$%} stipulates that 
odd positions are labelled with shdw. An inductive argument shows that all the 
even positions are labelled with wht: for the position 0, it follows from $21. For 
an even position p > 0, assuming (inductively) that all even positions are labelled 


exl 


with wht, the formula y&, ensures that p is labelled with wht. 


Putting it all together, the formula {shadowy = Pern A Yong is as required. 


In the next exercise, we show that it is possible to transfer the presence of 
certain letters from white positions into their shadows. It justifies the usage of 
“shadows” in the paper. 

We introduce the so-called counting terms. For a formula y, word w and a 
position p, by #5 (w, p) we denote the total number of positions among 0,...,p—1 
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satisfying y, ie. the size of {p < p | w, p' | vy}. We omit w in counting terms if 
it is known from the context. 


Exercise 2. Let o and õ be distinct letters from AP \ {wht, shdw}. There is an 
LTLf pair formula y#2"S, such that w = pins iff: 


owe? in Powe 


1. w is shadowy, 
2. only white (resp., shadow) positions of w can be ce o (resp., &) and 
3. for any even position p we have: w,p = o & w, ptl1 = 


Solution. Note that the first two conditions can be expressed with the conjunction 
of Yshadowy, G (o — wht) and G (o > shdw). The last condition is more involving. 
Assuming that the words under consideration satisfy conditions 1-2, it is easy to 
see that the third condition is equivalent to expressing that all white positions p 
satisfy the equation (Q): 


(Q): #ontro (10, P) = # Sauna (0, P) 


supplemented with the condition (®), ensuring that the last white position sat- 
isfies the condition 3, i.e. 


Q 


(®): for the last white position p we have: w, p = o & w, p+1 = 


The proof of the following lemma can be found in the appendix. 


Lemma 1. Let w be a word satisfying the conditions 1-2. Then to satisfies the 
condition 3 iff to satisfies (Q) and for all white positions p the equation (Q) holds. 


Going back to Exercise 2, we show how to define (Q) and (Q) in LTLf Harf, 
taking advantage of shadowness of the intended models. Take an arbitrary white 
position p of w. The equation (Q) for p is clearly equivalent to: 


(O): abner (0 P) + ( = #S,auna("®,P)) = 

Since p is even, we infer that 5 € N. From the shadowness of w, we know that 
there are exactly £ shadows in ene past of p. Moreover, each diadar satisfies either 
& or 7G. Hence, the expression § —# [awns (0, p) from (0), can be replaced with 
# fudur- (t, p). Finally, since wht and shdw label disjoint positions, the property 
that every white position p satisfies (Q) can be written as an LTLp Harf formula 
p) := G (wht > Half ([wht A o] V [shdw A =õ])). Its correctness follows from 
the correctness of each arithmetic transformation and the semantics of LTLF Harf- 
For the property (), we first need to define formulae detecting the last and 
the second to last positions of the model. Detecting the last position is easy: 
since the last position of tv is shadow, it is sufficient to express that it sees only 
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shadows in its future, i.e. yf? := G(shdw). Similarly, a position is second to 


last if it is white and it sees only white or last positions in the future, which 
results in a formula y$% := wht A G (wht V ye2.). Note that the correctness of 
yr, and y$% follows immediately from shadowness. Hence, we can define the 
formula yo) as F (ip si Aa) + F (pf, ^ č). The conjunction of yg) and (4) 


formulae gives us to ye”s 


ow" 


We consider a generalisation of shadowy models, where each shadow mimics 
all letters from a finite set X C AP rather than just a single letter ø. Such a 
generalisation is described below. In what follows, we always assume that for 
each ø € X there is a unique õ, which is different from a, and o ¢ X. Moreover, 
we always assume that 0; Æ 02 implies G1 Æ Go. 


Definition 2. Let X C AP \ {wht, shdw} be a finite set. A shadowy word w is 
called truly X-shadowy, if for every letter o € X only the white (resp. shadow) 
positions of to can be labelled with a (resp. ©) and every white position p of w 
satisfies w, p = o & to, p+1 H 


Knowing the solution for the previous exercise, it is easy to come up with a 


formula A defining truly X-shadowy models: just take the conjunction of 


WYPshadowy and pens over all letters o € X. The correctness follows immediately 


from from Exercise 2. 


Corollary 1. The formula Ube ated defines the language of truly X-shadowy 
words. 


The next exercise shows how to compare cardinalities in LT Le Haly over 
truly X-shadowy models. We are not going to introduce any novel techniques 
here, but the exercise is of great importance: it is used in the next section to 
encode zero tests of Minsky machines. 


Exercise 3. Let X be a finite subset of AP \ {wht,shdw} and let a#8 € X. 
There exists an LT Lr Harf formula 74-46 such that for any truly X-shadowy 
word w and any of its white positions p: the equivalence tv,p =| W#o=48 © 


Hahtaa(™®, P) = intag, P) holds. 


Ha = #6 TT 


oO @@O- 
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The solution is in the appendix, here we briefly discuss the main idea. Follow 
the previous exercise. The main difficulty is to express the equality of counting 
terms, written as LHS = RHS. Note that it is clearly equivalent to LHS + (4 — 
RHS) = £. Unfold § on the left hand side, i.e. replace it with the total number 
of shadows in the past. Use the fact that {w satisfies y'@"S, which implies the 
equality #3nrag (0, p) = #5, an g(t, p). Finally, get rid of subtraction and write 
an LTLf Haire formula by employing Half. The presented exercises show that 
the expressive power of LT Ly Hair is so high that, under a mild assumption of 
truly-shadowness, it allows us to perform cardinality comparison. We are now 
only a step away from showing undecidability of the logic, which is tackled next. 


4 Undecidability of LTL extensions 


This section is dedicated to the main technical contribution of the paper, namely 

that LT Lp Hair, LT LF pm and LTLf,mFL have undecidable satisfiability and 

model checking problems. We start from LTLf Hair. Then, the undecidability of 

LTLf pm will follow immediately from the fact that Half is definable by PM. 

Finally, we will show how the undecidability proof can be adjusted to LTLF met. 
We start by recalling the basics on Minsky Machines. 


Minsky machines A deterministic Minsky machine is, roughly speaking, a finite 
transition system equipped with two unbounded-size natural counters, where 
each counter can be incremented, decremented (only in the case it is positive), 
and tested for being zero. Formally, a Minsky machine A is composed of a finite 
set of states Q with a distinguished initial state qo and a transition function 6: 
(Q x {0, +}7) > ({-1, 0, 1}? (Q \ {qo}) satisfying three additional requirements: 
whenever 6(q, f, s) = (f,3,q') holds, f = —1 implies f = +, 3 = —1 implies s = + 
(i.e. it means that only the positive counters can be decremented) and q 4 q' 
(the machine cannot enter the same state two times in a row). Intuitively, the 
first coordinate of 6 describes the current state of the machine, the second and 
the third coordinates tell us whether the current value of the i-th counter is zero 
or positive, the next two coordinates denote the update on the counters and the 
last coordinate denotes the target state. 

We define a run of a Minsky machine A as a sequence of consecutive transi- 
tions of A. Formally, a run of A is a finite word w € (Qx{0,+}? x {-1,0,1}? x 
Q \ {qo})+ such that, when denoting w; as (qf, f*, st, f, 8, dy), all the following 
conditions are satisfied: 


1. q? = qo and f° = s° =0, g 

2. for each i we have 6(q', f$, s*) = (f*, 5*, qh), 

3. for each i < |tw| we have gi, = git", 

4. for each i, f’ equals 0 iff f° +---+f’~! = 0, and + otherwise; similarly st is 
0 if 3? +--+ s'*~! = 0 and + otherwise. 


It is not hard to see that this definition is equivalent to the classical one [26]. We 
say that a Minsky machine reaches a state q € Q if there is a run with a letter 
containing q on its last coordinate. It is well known that the problem of checking 
whether a given Minsky machine reaches a given state is undecidable [26]. 
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4.1 “Half of” meets the halting problem 


We start from presenting the overview of the claimed reduction. Until the end 
of Section 4, let us fix a Minsky machine A = (Q,qo,6) and its state q € Q. 
Our ultimate goal is to define an LT LF Haire formula wy such that wn has a 
model iff A reaches q. To do so, we define a formula 74 such that there is a 
one-to-one correspondence between the models of Y4 and runs of A. Expressing 
the reachability of q, and thus 4, based on wy is easy. 

Intuitively, the formula 74 describes a shadowy word w encoding on its white 
positions the consecutive letters of a run of A. In order to express it, we introduce 
a set X4, composed of the following distinguished atomic propositions: 


— from, and tog for all states q € Q, 
— fVal, and sVal. for counter values c € {0, +}, and 
— fOP,, and sOP op for all operations op € {—1,0, 1}. 


We formalise the one-to-one correspondence as the function run, which takes 
an appropriately defined shadowy model and returns a corresponding run of A. 
More precisely, the function run(to) returns a run whose ith configuration is 
(q, f,s,f,5,qn) if and only if the ith white configuration of w is labelled with 
from,, fVal ,, s Vals, fOP;, sOP3z and togy- 

The formula Y4 ensures that its models are truly X 4-shadowy words repre- 
senting a run satisfying properties P1-P4. To construct it, we start from e 
and extending it with four conjuncts. The first two of them represent properties 
P1-P2 of runs. They can be written in LTLp in an obvious way. 

To ensure the satisfaction of the property P3, we observe that in some sense 
the letters from, and tog are paired in a model, i.e. always after reaching a state 
in A you need to get out of it (the initial state is an exception here, but we 
assumed that there are no transitions to the initial state). Thus, to identify for 
which q we should set the from, letter on the position p, it is sufficient to see 
for which state we do not have a corresponding pair, ie. for which state q the 
number of white from, to the left of p is not equal to the number of white to, to 
the left of p. We achieve this in the spirit of Exercise 3. 

Finally, the satisfaction of the property P4 can be achieved by checking for 
each position p whether the number of white fOP |; to the left of p is the same as 
the number of white fOP_, to the left of p, and similarly for the second counter. 
This reduces to checking an equicardinality of certain sets, which can be done 
by employing shadows and Exercise 3. 


The reduction Now we are ready to present the claimed reduction. 

We first restrict the class of models under consideration to truly X 4-shadowy 
words (for the feasibility of equicardinality encoding) with a formula na 
Then, we express that the models satisfy properties P1 and P2. The first property 
can be expressed with Ypı := from,, A fValo A s Valo. 

The property P2 will be a conjunction of two formulae. The first one, namely 
Wpo, is an immediate implementation of P2. The second one, ie. Wp», is not 
necessary, but simplifies the proof; we require that no position is labelled by more 
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than six letters from X4. 


tthe := G (wht >V from, ^ fValz ^ s Vals A fOP; ^ sOP3 ^ togn), 
ôla,f,s)=(f;5,an) 

Yh = G A A(p1 A p2 A++: A pr): 
Pireo PTEXA 


P1,- p7 are pairwise different 


We put pp2 := Who A Phy and Wene-basies “= Vd A Wri A Ypa 

We now formalise the correspondence between intended models and runs. Let 
run be the function which takes a word tw satisfying Wenc-basics and returns the 
word w^ such that |tw+| = |w|/2 and for each position i we have: 


(>) : wf = (q, f,8,f,3, an) iff 
2; 2 { wht, from,, fVal p, s Vals, JOP}, 8OP3, togy k 


The definition of Wenc-basics Makes the function run correctly defined and 
unambiguous, and that the results of run satisfy properties P1 and P2. 


Fact 5 The function run is uniquely defined and returns words satisfying P1 
and P2. 


What remains to be done is to ensure properties P3 and P4. Both formulas 
rely on the tools established in Exercise 3 and are defined as follows: 


vps = G(wh=> J (from, V Pyfrom, =#to4)): 
qEQ\ {40} 
Wpa = G (fValo => U#FOP ,,=#f0P_,) 


A G (sValo + (#s0P4,:=#s0P_1) 
A G (wht > (fValgoo—-fVal,.)) A G (wht > (s Valo&=s Val,,)) 


Lemma 2. [f tv satisfies Wenc-basics A Yp3, then run(w) satisfies P1—P3. 


Proof. The satisfaction of the properties P1 and P2 by run(tw) follows from Fact 5. 
Ad absurdum, assume that run(tw) does not satisfy P3. It implies the existence of 
a white position p in w such that w, p = tog but w, p+2 = from, for some q # q’. 
By our definition of Minsky machines, we conclude that tw, p = from, for some 
q” + q. Thus, w, p & from,. 

From the satisfaction of wp3 by to we know that tw, p = U# from, =# tog: Let 
k be the total number of positions labelled with from, before p. Since w, p = 
py from, =#to, holds, by Exercise 3 we infer that the number of positions satisfying 
to, before p is also equal to k. Since w, p+2 jÆ from, and from the satisfaction of 
Ypa by w we once more conclude tv, p+2 H U# from, =#to4- But such a situation 
clearly cannot happen due to the fact that the number of tog in the past is equal 
to k + 1, while the number of from, in the past is k. 
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Finally, let us define p4 as Wenc-basics A Wp3 A Ypa. The use of + in Yp4 
guarantees that fVal, labels exactly the white positions having the counter empty 
(and similarly for the second counter). The counters are never decreased from 0, 
thus the white positions not satisfying fVal) are exactly those having the first 
counter positive. 

The proof of the forthcoming fact relies on the correctness of Exercise 3 and 
is quite similar to the proof of Lemma 2, and is presented in the appendix. 


Lemma 3. [ftv satisfies ya, then run(to) is a run of A. 


Lastly, to show that the encoding is correct, we need to show that each run 
has a corresponding model. It is again easy: it can be shown by constructing 
an appropriate tv; the white positions are defined according to (~), and the 
shadows can be constructed accordingly. 


Fact 6 If w^ is a run of A, then there is a word w EK wy s.t. run(w) = w^. 


Let Y4 := Ya AF (tog). Observe that the formula ~% is satisfiable if and 
only if A reaches q. The “if” part follows from Lemma 3 and the satisfaction 
of the conjunct F (toq) from Ya. The “only if” part follows from Fact 6. Hence, 
from undecidability of the reachability problem Minsky machines we infer our 
main theorem: 


Theorem 1. The satisfiability problem for LT Ly Hair is wndecidable. 


6.1 Undecidability of model-checking 


For a given alphabet X, we can define a Kripke structure K 5 whose set of traces 
is the language (2~)*: the set of states S of Ks is composed of all subsets of X, 
all states are initial (i.e. I = S), the transition relation is the maximal relation 
(R = SxS) and ¢(X)=X for any subset X C X. It follows that a formula p 
over an alphabet X is satisfiable if and only if there is a trace of Ky satisfying 
y. From the undecidability of the satisfiability problem for LT Ly wai we get: 


Theorem 2. Model-checking of LT LF Hair formulae over Kripke structures is 
undecidable. 


The decidability can be regained if additional constraints on the shape of Kripke 
structures are imposed: model-checking of LT LF Hair formulae over flat structures 
is decidable [13]. 

As discussed earlier, the Half operator can be expressed in terms of the PM 
operator. Hence, we conclude: 


Corollary 2. Model-checking and satisfiability problems for LTLf pm are un- 
decidable. 
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6.2 Most-Frequent Letter and Undecidability 


We next turn our attention to the MFL operator, which turns out to be a little 
bit problematic. Typically, formulae depend only on the atomic propositions that 
they explicitly mentioned. Here, it is not the case. Consider a formula y = MFL a 
and words w; = {aH Ha} and wə = {a, b}{b}{a, b}. Clearly, to,,2 H p whereas 
02,2 FF y. This can be fixed in many ways — for example, by parametrising 
MFL with a domain, so that it expresses that “a is the most frequent letter 
among b),...,6,,”. We show, however, that even this very basic version of MFL 
is undecidable. The proof is an adaptation of our previous proofs with a little 
twist inside. 

First, we adjust the definition of shadowy words. A word w is strongly shadowy 
if w is shadowy and for each even position of w we have that wht and shdw are the 
most frequent letters among the other labelling tw while for odd positions wht is 
the most frequent. Note that the words constructed in the previous sections were 
strongly shadowy because each letter o appeared only at whites or at shadows. 


MFL 


Exercise 4. There exists an LTLp mri formula {spo dowy 


owy words. 


defining strongly shad- 


Proof. It suffices to revisit Exercise 1 and to modify the formula y%4/, stipulating 


that odd positions are exactly those labelled with shdw (since it is the only 


formulae employing Half ). We claim that £3}, can be expressed with 


pMit := G [MEL (wht) A (wht + MFL (shdw))] 


Indeed, take any word w H $A pME”. Of course we have tv,0 — wht (due to 


pett.). Moreover, to, 1 = shdw holds: otherwise we would get contradiction with 
shdw not being the most frequent letter in the past of 1. Now assume p > 1 and 
assume that the word two,...,t0,—1 is strongly shadowy. Consider two cases. If p 
is odd, then both wht and shdw are the most frequent letters in the past of p—1 
and p—1 is labelled by wht. Then, shdw is not the most frequent letter in the past 
of p and thus p is labelled by shdw and wht is the most frequent letter in the past 
of p. If p is even, p—2 is labelled by wht and the most frequent letters in the past 
of p—2 are wht and shdw, and p—1 is labelled by shdw. Thus both wht and shdw 
are the most frequent letters in the past of p and therefore wht is labelled by wht. 
Thus, tvo,..., Wp is strongly shadowy. By induction, w is strongly shadowy. It 


can be readily checked that every strongly shadowy word satisfies WOT wy: 


We argue that over the strongly shadowy models, the formulae Half o and 
MF Lao are equivalent. 


Lemma 4. For all strongly shadowy words w = dowy’ all even positions 2i 


and all letters o we have the equivalence to, 2i = Half o iff w,2i | MFL vo. 


Proof. If w, 2i = MEL g, then w, 2i | MEL wht due to the strongly shadowness 
of w. Hence #5 (w, 2i) = #<,, (to, 2i) = #, implying w, 2i — Half o. 

Now, assume that tv, 2i | Half o holds, so o appears 7 times in the past. Since 

w is strongly shadowy we know that wht is the most frequent letter. Moreover, 

2i 


wht appears + = i times in the past. Hence, w, 2i F MFL ø. 
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We say that a letter o is importunate in a word w if o labels more than half 
of the positions in some even prefix of w. Notice that strongly shadowy words 
cannot have importunate letters. 

With the above lemma, it is tempting to finish the proof as follows: replace 
each Half (vy) in the formulae from Section 4.1 with MFL (pọ) for some fresh 
atomic proposition pọ and require that G (p + pọ) holds. A formula obtained 
from y in this way will be called a dehalfication of p and will be denoted with 
dehalf (p). The next lemma shows that dehalf(-) preserves satisfaction of certain 
LT Lp pair formulae. 


Lemma 5. Let p be an LT LF Haire formula without nested Half operators and 
without F modality, A be the set of all formulae X such that Half à appears in 
p and let w be a word such that w = death) ^A Nyea G (pa A). Then for 
all even positions 2p of w we have that w,2p = dehalf(y) implies w,2p = yp. 


Moreover, w = G (wht — dehalf(y)) implies w H G (wht > p). 


Proof. The proof goes via structural induction over LT Lp Harf formulae without 
nested Half operators and without F operators. The only interesting case is 
when y = Half à, which follows from Lemma 4. 


Note, however, that the above lemma works only one way: it fails when the 
formula y is satisfied in more than half of the positions of some prefix, as that 
would make p, importunate leading to unsatisfiablity of YME Toui 
6.3 Most-Frequent Letter: the reduction 


The next step is to construct a formula defining truly X 4-shadowy words, which 
are the crucial part of Mer PEN To do it, we first need to rewrite a formula p!"2"s, 
transferring the truth ofa letter ø from whites into their shadows. The main ingre- 
dient of pf2" is the formula (o) := G (wht —> Half ([wht A a] V [shdw A -4})), 
which we replace with dehalf(yy)). We call the obtained formula (pian) MF" 
and show its correctness below. 

First, by Lemma 5 we know that every model of ( 


of prone 


ono" 


cation of y 


pirans)MFL is also a model 


Then, the models of pt2”: can be made strongly shadowy, so dehalfi- 


one 
trans 


mens is satisfiability-preserving. 


Lemma 6. Let p, be a fresh letter for p := [wht ^ a| V [shdw ^A 7G]. Take tw, 
a strongly shadowy word satisfying w  pl2"s without any occurrences of py. 
Then to’, the word obtained by labelling with py all the positions of w satisfying 


p, ts strongly shadowy. 


Hence, we obtain the correctness of (y!@ns)“¥", By applying the same strategy 


oO 
to other conjuncts of Wenc-basics and Fact 5, we obtain pM@FF asics satisfying: 


Corollary 3. The function run (taking as input the words satisfying YE} asics) 


is uniquely defined and returns words satisfying P1 and P2. Moreover the formulae 


MFL 4 4 
enc-basics and Wenc-basics are equi-satisfiable. 
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Towards completing the undecidability proof we need to prepare the rewritings 
of the formulae ppg and wp4. For Yp3 we proceed similarly to the previous case. 
We know that the models of YMFE sics \dehalf(wps3) satisfy P3 (due to Lemma 5 
they satisfy wp3 and hence, by Lemma 2, also P3). To observe the existence 
of such models, we show again that the satisfiability of wp3 is preserved by 


dehalfication. 


Lemma 7. Let pq be a fresh letter for pq := [wht A from] V [shdw A >to] indexed 
overg € Q\{qo}. Take w, a strongly shadowy word satisfying to H YME% asics AUPS 


without any occurrences of pq. Then to’, the word obtained by labelling with pq 
all the positions of w satisfying pq, is strongly shadowy. 


From Lemma 2, Lemma 7 and Lemma 5 we immediately conclude: 


Corollary 4. If w satisfies yMPS asics ^ dehalf(wp3), then run(w) satisfies P1- 


P3. Moreover the formulae ed A dehalf(Wp3) and Wenc-basics A Wp3 are 
equi-satisfiable. 


The last formula to rewrite is Yp4. We focus only on its first part, speaking 
about the first counter, i.e. 


G (fVal, > Half ([wht A fOP,,] V [shdw A =fOP_,]) A G (wht > (fValy 4 —fVal,,)) 

Note that this time we cannot simply dehalfise this formula: the letter re- 
sponsible for the inner part of Half would necessarily be importunate — con- 
sider an initial fragment of a run of A in which A increments its first counter 
without decrementing it. Fortunately, we cannot say the same when the ma- 
chine decrements the counter and hence, it suffices to express the equivalent 
(due to even length of shadowy models) statement wp, as follows: G (fValy > 


—_—_ 


Half =([wht A fOP ,,] V [shdw A ~fOP_,]) A G (wht > (fValy + =fVal,)). 

As we did before, we show that dehalfication of Wp, preserves satisfiability: 
Lemma 8. Let py be a fresh letter for p := 7([wht A fOP ,,|V[shdw A =fOP _,]). 
Take w, a strongly shadowy word satisfying w = YME} sies \dehalf(wp3) A Yp 
without any occurrences of pọ. Then to’, the word obtained by labelling with py 
all the positions of to satisfying p, is strongly shadowy. 


enc- basics 
Lemma 3, Lemma 8 and Lemma 5 we immediately conclude: 


Finally, let (Y4) := YME A dehalf(qp3) A dehalf (Yy p4) A F tog. From 


Corollary 5. If mw satisfies (4) then it satisfies P1-P4. Moreover the for- 
mulae (Y) and Y% are equi-satisfiable. 


Thus, by Theorem 1 and the above corollary, we obtain the undecidability 
of LT Le mri. Undecidability of the model-checking problem is concluded by 
virtually the same argument as in Section 6.1. Hence: 


Theorem 3. The model-checking and the satisfiability problems for LTLF MFL 
are undecidable. 
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7 Decidable variants 


We have shown that LT Lp with frequency operators lead to undecidability. With- 
out the operators that can express F (e.g. F, G or U), the decision problems 
become NP-complete. Below we assume the standard semantics of LTL operator 
X, ie. w,i H X ọ iff i+1 < |w] and w, i+1 H g. 


Theorem 4. Model-checking and satisfiability problems for LTLx MFL, Pm are 
NP-complete. 


The complexity of LTLx mri,pm is so low because the truth of the formula 
depends only on some initial fragment of a trace. This is a big restriction of the 
expressive power. Thus, we consider a different approach motivated by [7]. 

In the new setting, we allow to use arbitrary LTL formulae as well as per- 
centage operators as long as the they are not mixed with G. We introduce a 
logic LT L”, which extends the classical LTL [29] with the percentage operators 
of the form Py,.%y for any x! € { <, <, =, >, > }, k € N and ọ € LTL. By way 
of example, the formula P<20%(a) is true at a position p if less then 20% of 
positions before p satisfy a. The past majority operator is a special case of the 
percentage operator: PM = P >5ọ%. Formally: 


To avoid undecidability, the percentage operators cannot appear under nega- 
tion or be nested. Therefore, the syntax of LTL” is defined with the grammar 
p,p == pire | Ve | GAY | E (yrr A Porxvyry), where yurt, Yur. 
are (full) LTL formulae. 

The main tool used in the decidability proof is the Parikh Automata [21]. 
A Parikh automaton P = (A,€) over the alphabet X is composed of a finite- 
state automaton A accepting words from X* and a semi-linear set € given as a 
system of linear inequalities with integer coefficients, where the variables are £a 
for a € X. We say that P accepts a word w if A accepts w and the mapping 
assigning to each variable £a from E the total number of positions of tw carrying 
the letter a, is a solution to €. Checking non-emptiness of the language of P can 
be done in NP [17]. Our main decidability results is obtained by constructing an 
appropriate Parikh automaton recognising the models of an input LT L” formula. 


Theorem 5. Model-checking and satisfiability problems for LTL” are decidable. 


Proof. Let y € UTEŽ, By turning y into a DNF, we can focus on checking 
satisfiability of some of its conjuncts. Hence, w.l.o.g. we assume that p = Yo A 
Nii Yi, where yo is in LTL and all y; have the form F (ity, A Poak.m Vim) for 
some LTL formulae yt, and Wt2,,. Observe that a word tv is a model of y iff it 
satisfies Yọ and for each conjunct p; we can pick a witness position p; from to such 
that w,pi H Wi, A Poor,x Uet. Moreover, the percentage constraints inside 
such formulae speak only about the prefix w<p;. Thus, knowing the position p; 


and the number of positions before p; satisfying Dee the percentage constraint 
inside y; can be imposed globally rather than locally. It suggests the use of Parikh 
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automata: the LTL part of y can be checked by the appropriate automaton A 
(due to the correspondence that for an LTL formula over finite words one can 
build a finite-state automaton recognising the models of such a formula [19]) and 
the global constraints, speaking about the satisfaction of percentage operators, 
can be ensured with a set of linear inequalities €. 

Our plan is as follows: we decorate the intended models tv with additional 
information on witnesses, such that the witness position p; for y; will be labelled 
by w; (and there will be a unique such position in a model), all positions before 
pi will be labelled by b; and, among them, we distinguish with a letter s; some 
special positions, i.e. those satisfying ae More formally, for each p; we produce 
an LTL formula y} according to the following rules: 


— there is a unique position p; such that w, p; = w; (selecting a witness for y;), 
— for all j < p; we have t, j | b; (the positions before p; are labelled with b;), 
— wk G(s; > [bi A vyt,]) (distribution of the special positions among b;) and 
— to, pF THe (a precondition for y;). 


Let p’ := po A Nin wi A Ajai F (pi A Pook. i). Note that w H y’ implies 
w — y. Moreover, any model w F ọ can be labelled with letters b;,5;, wi such 
that the decorated word satisfies y’. Let py” := po A Aj_, g; and let E be the 
system of n inequalities with €; = 100-2, D< ki: £s;. Now observe that any 
model of y’ satisfies E€ (i.e. the value assigned to £a is the total number of 
positions labelled with a), due to the satisfaction of counting operators, and vice 
versa: every word tv |= y” satisfying E is a model of y”. It gives us a sufficient 
characterisation of models of p. Let A be a finite automaton recognising the 
models of vy”, then a Parikh automaton P = (A,€), as we already discussed, is 
non-empty if and only if y has a model. Since checking non-emptiness of P is 
decidable, we can conclude that LT L” is decidable. 


A rough complexity analysis yields an NEXPTIME upper bound on the prob- 
lem: the automaton P that we constructed is exponential in y (translating » 
to DNF does not increase the complexity since we only guess one conjunct, 
which is of polynomial size in y). Moreover, checking non-emptiness can be 
done non-deterministically in time polynomial in the size of the automaton. 
The NEXPTIME bound is not optimal: we conjuncture that the problem is 
PSPACE-complete. We believe that by employing techniques similar to [7], one 
can construct P and check its non-emptiness on the fly, which should result in 
the PSPACE upper bound. 

For the model-checking problem, we observe that determining whether some 
trace of a Kripke structure K = (S, I, R,1) satisfies y is equivalent to checking the 
satisfiability of formula yx A vy, where yx is a formula describing all the traces of 
K. Such a formula can be constructed in a standard manner. For simplicity, we 
treat S as a set of auxiliary letters, and consider the conjunction of (1) V,ez 8, (2) 
G(XT > Vis syer($ A X8’)) and (3) Ases G(s > Apers) P), expressing that 
the trace starts with an initial state, consecutive positions describe consecutive 
states and that the trace is labelled by the appropriate letters. Thus, the model- 
checking problem can be reduced in polynomial time to the satisfiability problem. 
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8 Two-Variable First-Order Logic with Majority 


The Two-Variable First-Order Logic on words (FO?[<]) is a robust fragment 
of First-Order Logic FO interpreted on finite words. It involves quantification 
over variables x and y (ranging over the words’ positions) and it admits a linear 
order predicate < (interpreted as a natural order on positions) and the equality 
predicate =. Henceforth we assume the usual semantics of FO?[<] (ef. [16]). 

In this section, we investigate the logic FOX,[<], namely the extension of 
FO?[<] with the so-called Majority quantifier M. Such quantifier was intensively 
studied due to its close connection with circuit complexity and algebra, see 

g. [22,5,6]. Intuitively, the formula Ma.y specifies that at least half of all the 
positions in a model, after substituting x with them, satisfy y. Formally tv |= 
Mz. holds, if and only if {rol < Hp | w,p H ¢|[ax/p]}|. We stress that the 
formula Mz. may contain free occurrences of the variable y. 

Note that the Majority quantifier shares similarities to the PM operator, but 
in contrast to PM, the M quantifier counts globally. We take advantage of such 
similarities and by reusing the technique developed in the previous sections, we 
show that the satisfiability problem for FO},[<] is also undecidable. We stress 
that our result significantly sharpens an existing undecidability result for FO with 
Majority from [23] (since in our case the number of variables is limited) as well 
as for FO?[<, succ] with Presburger Arithmetics from [25] (since our counting 
mechanism is limited and the successor relation succ is disallowed). 


Proof plan There are three possible approaches to proving the undecidability 
of FOy[<]. The first one is to reproduce all the results for LTLf pm, which 
is rather uninspiring. The second one is to define a translation from LT Le pm 
to FOX,[<] that produces an equisatisfiable formula. But because of models of 
odd length, this involves a lot of case study. Here we present a third approach, 
which, we believe, gives the best insight: we show a translation from LT Ly pm to 
FO},[<] that works for LTLf pm formulae whose all models are shadowy. Since 
we only use such models in the undecidability proof of LTLp pm, this shows the 
undecidability of FO},[<]. 


Shadowy models We first focus on defining shadowy words in FO;,|<]. Before 
we start, let us introduce a bunch of useful macros in order to simplify the 
forthcoming formulae. Their names coincide with their intuitive meaning and 
their semantics. 


— Halfa.p := Ma.p A Many, 
— first(xz) := “dy y < x, second(x) := Jyy<aAVyy < x > first(y), 
— last(z) := Jy y > x, sectolast(x) := Jy y > x ^ VYy y > z —> last(y) 


Lemma 9. There is an FOR [<] formula YEO defining shadowy words. 


shadowy 
Proof. Let yie™ be a formula defining the language of all (non-empty) words, 
where the letters wht and shdw label disjoint positions in the way that the first 
position satisfies wht and the total number of shdw and wht coincide. It can be 
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written, e.g. with Va(wht(x) @ ashdw(a)) Adax(first(x) A wht(x)) A Halfa.wht(a) A 
Halfa.shdw(x). To define shadowy words, it would be sufficient to specify that 
no neighbouring positions carry the same letter among { wht, shdw }. This can 
be done with, rather complicated at the first glance, formulae: 


gloria (a) := wht(x) > Halfy. ([y < æ A wht(y)] V [æ < y A shdw(y))), 


peer id y(t) = shdw(x)—Halfy. ([(y<x V e=y) A shdw(y)]}V[z<y A wht(y))) . 


bid bid 
Finally, let a deo = gine AVE. Ce ae )A Ne shawl a): 


Showing that shadowness implies the satisfaction of Y£0 can be done by 


alas 
routine induction. For the opposite direction, take w H dss? Since w H ylem9 
the only possibility for t to not be shadowy is to have two consecutive positions 
p,p+1 carrying the same letter. W.l.o.g assume they are both white. Let w be 
the number of white positions to the left of p and let s be the aaa of shadows 


to the right of p. By applying eT ie to p we infer that w +s = 5 a lto): On the 
other hand, by applying i. to p+1 it follows that (w+1)+s = |w], which 


contradicts the previous equation. Hence, tv is shadowy. 


Translation It is a classical result from [16] that FO?[<] can express LTLp. 
We define a translation tt,(y) from LTLf pm to FO;,[<], parametrised by a 
variable v (where v is either x or y and v denotes the different variable from 
v), inductively. We write v < U rather than v < 0 V v = U for simplicity. For 
LTLp cases, we follow [16]: tt,(a@) := a(v), for a fresh unary predicate a for 
each a € AP, tru (~p) := atrop), ttro(pAy’) = tty(y) A tty (y’), tt. (F y) := 
Ju (v < v) A tts(y). For PM, we propose tt,(PM y) := Mu((v < vA tta(y)) V 
(Ge >v wht(o ))). Finally, for a given LTLf pm formula y, let tt(y) stand for 


Y deed) Aa x.( first(x ) ^ tv, (y)). 
The following lemma shows the correctness of the presented translation. 


Lemma 10. An LTLf pm formula vy has a shadowy model iff te(p) has a model. 


Since the formulae used in our undecidability proof for LTLf, pm have only 
shadowy models, by Lemma 10 we conclude that FO;,[<] is also undecidable. 


Theorem 6. The satisfiability problem for FOx,[<] is undecidable. 


9 Conclusions 


We have provided a simple proof showing that adding different percentage op- 
erators to LTLg yields undecidability. We showed that our technique can be 
applied to an extension of first-order logic on words, and we hope that our work 
will turn useful in showing undecidability for other extensions of temporal logics. 
Decidability results for logics with percentage operators in restricted contexts 
were also provided. 
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Abstract. We describe the canonical weak distributive law 6: SP —> 
PS of the powerset monad P over the S-left-semimodule monad S, for 
a class of semirings S. We show that the composition of P with S by 
means of such 6 yields almost the monad of convex subsets previously in- 
troduced by Jacobs: the only difference consists in the absence in Jacobs’s 
monad of the empty convex set. We provide a handy characterisation of 
the canonical weak lifting of P to EM(S) as well as an algebraic the- 
ory for the resulting composed monad. Finally, we restrict the composed 
monad to finitely generated convex subsets and we show that it is pre- 
sented by an algebraic theory combining semimodules and semilattices 
with bottom, which are the algebras for the finite powerset monad Py. 


Keywords: algebraic theories - monads - weak distributive laws. 


1 Introduction 


Monads play a fundamental role in different areas of computer science since they 
embody notions of computations [32], like nondeterminism, side effects and ex- 
ceptions. Consider for instance automata theory: deterministic automata can be 
conveniently regarded as certain kind of coalgebras on Set [33], nondeterminis- 
tic automata as the same kind of coalgebras but on EM(P) [35], and weighted 
automata on EM(S) [4]. Here, Py is the finite powerset monad, modelling nonde- 
terministic computations, while S is the monad of semimodules over a semiring 
S, modelling various sorts of quantitative aspects when varying the underlying 
semiring S. It is worth mentioning two facts: first, rather than taking coalgebras 
over EM(T), the category of algebras for the monad T, one can also consider 
coalgebras over KI(T), the Kleisli category induced by T [20]; second, these two 
approaches based on monads have lead not only to a deeper understanding of the 
subject, but also to effective proof techniques [6,7,14], algorithms [1,8,22,36,39] 
and logics [19,21,27]. 

Since compositionality is often the key to master complex structures, com- 
puter scientists devoted quite some efforts to compose monads [40] or the equiva- 
lent notion of algebraic theories [24]. Indeed, the standard approach of composing 
monads by means of distributive laws |3] turned out to be somehow unsatisfac- 
tory. On the one hand, distributive laws do not exist in many relevant cases: 
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see [28,41] for some no-go theorems; on the other hand, proving their existence 
is error-prone: see [28] for a list of results that were mistakenly assuming the 
existence of a distributive law of the powerset monad over itself. 

Nevertheless, some sort of weakening of the notion of distributive law—e.g., 
distributive laws of functors over monads [26|—proved to be ubiquitous in com- 
puter science: they are GSOS specifications [38], they are sound coinductive 
up-to techniques [7] and complete abstract domains [5]. In this paper we will 
exploit weak distributive laws in the sense of [15] that have been recently shown 
successful in composing the monads for nondeterminism and probability [17]. 


The goal of this paper is to somehow combine the monads Py and S men- 
tioned above. Our interest in S relies on the wide expressiveness provided by the 
possibility of varying S: for instance by taking S to be the Boolean semiring, 
one obtains the monad Py; by fixing S to be the field of reals, coalgebras over 
M (S) turn out be linear dynamical systems [34]. 


We proceed as follows. Rather than composing P+, we found it convenient to 
compose the full, not necessarily finite, powerset monad P with S. In this way we 
can reuse several results in [12] that provide necessary and sufficient conditions 
on the semiring S' for the existence of a canonical weak [15] distributive law 
6: SP > PS. Our first contribution (Theorem 21) consists in showing that 
such 6 has a convenient alternative characterisation, whenever the underlying 
semiring is a positive semifield, a condition that is met, e.g., by the semirings of 
Booleans and non-negative reals. 

Such characterisation allows us to give a handy definition of the canoni- 
cal weak lifting of P over EM(S) (Theorem 24) and to observe that such lift- 
ing is almost the same as the monad C: EM(S) + EM(S) defined by Jacobs 
in [25] (Remark 25): the only difference is the absence in C of the empty subset. 
Such difference becomes crucial when considering the composed monads, named 
CM: Set — Set in [25] and P.S: Set — Set in this paper: the latter maps a set 
X into the set of convex subsets of SX, while the former additionally requires the 
subsets to be non-empty. It turns out that while K1(CM) is not CPPO-enriched, 
a necessary condition for the coalgebraic framework in [20], KI1(P-S) indeed is 
(Theorem 30). 

Composing monads by means of weak distributive laws is rewarding in many 
respects: here we exploit the fact that algebras for the composed monad PS 
coincide with d-algebras, namely algebras for both P and S satisfying a certain 
pentagonal law. One can extract from this law some distributivity axioms that, 
together with the axioms for semimodules (algebras for the monad S) and those 
for complete semilattices (algebras for the monad P), provide an algebraic theory 
presenting the monad P.S (Theorem 32). 

We conclude by coming back to the finite powerset monad Py. By replac- 
ing, in the above theory, complete semilattices with semilattices with bottom 
(algebras for the monad Py) one obtains a theory presenting the monad Pres of 
finitely generated convex subsets (Theorem 35), which is formally defined as a 
restriction of the canonical PS. The theory, displayed in Table 1, consists of the 
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Table 1. The sets of axioms Esc for semilattices (left), Ecsm for S-semimodules 


right) and Ep: for their distributivity (bottom). 

(wUy)Uz=axU(yUz) (c+ty)+z2=a4+(yt+z) (Atsyu)-c@=A-ct+py-a 
rUuy=yua e+ty=yte Os: x=0 
cUl=2 r+0=2 (Ap) -£ = A> (wx) 
ctuac=2 A- (+y) =à- r+- y 

rA-0=0 
A-L = L for \ 40s A- (aUy) = (A- a) U(A-y) 
Tr z+ (yuz) = (e +y) U (s +2) 


theory presenting the monad Py and the theory presenting the monad S with 
four distributivity axioms. 

To save space we had to omit most of the proofs of the results in this article: 
the interested reader can find them in [9]. 


Notation. We assume the reader to be familiar with monads and their maps. 
Given a monad (M, n™ , un”) on C, EM(M) and KI(M) denote, respectively, the 
Eilenberg-Moore category and the Kleisli category of M. The latter is defined 
as the category whose objects are the same as C and a morphism f: X > Y 
in KI(M) is a morphism f: X > M(Y) in C. We write UM: EM(M) —> C and 
Um: KI(M) — C for the canonical forgetful functors, and F™ : C > EM(M), 
Fm: C + KI(M) for their respective left adjoints. Recall, in particular, that 
FM(X) = (X,u¥) and, for f: X — Y, F@(f) = M(f). Given n a natural 
number, we denote by n the set {1,...,n}. 


2 (Weak) Distributive laws 


Given two monads S and T on a category C, is there a way to compose them 
to form a new monad ST on C? This question was answered by Beck [3] and 
his theory of distributive laws, which are natural transformations 6: TS > ST 
satisfying four axioms and that provide a canonical way to endow the composite 
functor ST with a monad structure. We begin by recalling the classic definition. 
In the following, let (T, 7, uw”) and (S,7°, u9) be two monads on a category C. 


Definition 1. A distributive law of the monad S over the monad T is a natural 
transformation 6: TS — ST such that the following diagrams commute. 


Tes. STS È SST TTS > TST > STT 
ne Jers |a 
TS a > ST TS $ > ST 
(1) 
T S 
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One important result of Beck’s theory is the bijective correspondence between 
distributive laws, liftings to Eilenberg-Moore algebras and extensions to Kleisli 
categories, in the following sense. 


Definition 2. A lifting of the monad S to EM(T) is a monad (5,5, u) where 


M(T) 2+ EM(T) l l 
e*] Jer commutes, U?n® =n8U7, UT = uSUT. 


C 2 C 


An extension of the monad T to KI(S) is a monad (T, nt ut) such that 
c—_*—-c i i 
Fs| [Fs commutes, n? Fs = Fon”, u? Fs = Fou”. 
KI(S) —> KI(S) 


Böhm [11] and Street [37] have studied various weaker notions of distributive 
law; here we shall use the one that consists in dropping the axiom involving n” 
in Definition 1, following the approach of Garner [15]. 


Definition 3. A weak distributive law of S over T is a natural transformation 
ô: TS — ST such that the diagrams in (1) regarding w°, p? and n° commute. 


There are suitable weaker notions of liftings and extensions which also bijec- 
tively correspond to weak distributive laws as proved in [11,15]. 


Definition 4. A weak lifting of S to EM(T) consists of a monad ($,n°,u°) on 
M (T) and two natural transformations 


UTS —— SUT —-+ UTS 


such that mi = ‘urs and such that the following diagrams commute: 


UTSS 2+ SUT +s SSUT ae oe a 

us| p ONE ® 
UTS : > SUT UTS . SUT 
SSUT "+ suTS -=> UTSS ? UT, 

sur] p A N 
SUT T > UTS SUT T UTS 


A weak extension of T to Bao ) is a functor T: KI(S) + KI(S) together with a 
natural transformation u? : TT > T such that FsT = TFs and ul Fs = Fsp?. 
Theorem 5 ([3,11,15]). There is a bijective correspondence between (weak) 


distributive laws TS —> ST, (weak) liftings of S to EM(T) and (weak) extensions 
of T to K\(S). 
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3 The Powerset and Semimodule Monads 

The Monad P. Let us now consider, as S, the powerset monad (P,7”, uP”), 
where n% (x) = {x} and uẸ (U) = Uvey U. Its algebras are precisely the com- 
plete semilattices and we have that KI(P) is isomorphic to the category Rel of 
sets and relations. Hence, giving a distributive law TP — PT is the same as 
giving an extension of T to Rel: for this to happen the notion of weak cartesian 
functor and natural transformation is crucial. 


Definition 6. A functor T: Set — Set is said to be weakly cartesian if and only 
if it preserves weak pullbacks. A natural transformation p: F — G is said to be 
weakly cartesian if and only if its naturality squares are weak pullbacks. 


Kurz and Velebil [29] proved, using an original argument of Barr [2], that an 
endofunctor T on Set has at most one extension to Rel and this happens precisely 
when it is weakly cartesian; similarly a natural transformation y: F —> G, with 
F and G weakly cartesian, has at most one extension (~: F > G, precisely when 
it is weakly cartesian. The following result is therefore immediate. 


Proposition 7 ([15, Corollary 16]). For any monad (T, n”, u”) on Set: 


1. There exists a unique distributive law of P over T if and only if T, n? and 
u are weakly Cartesian. 
2. There exists a unique weak distributive law of P over T if and only if T and 


u? are weakly Cartesian. 


The Monad S. Recall that a semiring is a tuple (S,+,-,0,1) such that (S, +, 0) 
is a commutative monoid, (S,-,1) is a monoid, - distributes over + and 0 is an 
annihilating element for -. In other words, a semiring is a ring where not every 
element has an additive inverse. Natural numbers N with the usual operations 
of addition and multiplication form a semiring. Similarly, integers, rationals and 
reals form semirings. Also the Booleans Bool = {0,1} with V and A acting as + 
and -, respectively, form a semiring. 

Every semiring S generates a semimodule monad S on Set as follows. Given a 
set X, S(X) = {y: X > S | supp y finite}, where supp y = {x E€ X | y(x) # 0}. 
For f: X > Y, define for all y € S(X) 


sAile E a) Ys. 
ve f~*{y} 


This makes S a functor. The unit n$: X + S(X) is given by n$ (x) = Az, where 
A, is the Dirac function centred in x, while the multiplication pS: S?(X) > 
S(X) is defined for all YW € S?(X) as 


WW) =(e E oee): X> s. 


pEsupp Y 
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Table 2. Definition of some properties of a semiring S. Here a,b,c,d € S. 


Positive ja + b = 0 a=0=b 

Semifieldja £0 = Jx.a-r=2-a=1 

Refinablela+b=c+d = > dz,y,z,t-e+y=a,z+t=b,4+2z=cyt+t=d 
(A) ja+b=1 = a=O0orb=0 


(B) |a-b=0 a=O0orb=0 

(C) Ja+c=b+c a=b 

(D) |Wa,b. da.a+a2=borb4+a2=a 

(Œ) Jatb=c-d => Ft: {(2,y) € 8? | x+y = d} > S such that 


2 t(x, y)ax =a, ds t(x, y)y =b, »~ U(a,y) = Cc. 


e+y=d a+y=d aty=d 


An algebra for S is precisely a left-S-semimodule, namely a set X equipped with 
a binary operation +, an element 0 and a unary operation A- for each À € S, 
satisfying the equations in Table 1. Indeed, if X carries a semimodule structure 
then one can define a map a: SX —> X as, for y € SX, 


aly) = > gla): 2 (4) 


TEX 


where the above sum is finite because so is supp y. Vice versa, if (X,a) is an 
S-algebra, then the corresponding left-semimodule structure on X is obtained 
by defining for all A € S and z, y € X 


a+ y=alrvn l,y > 1), 0° = a(e), A“ ¢ =a(a%H A). (5) 


Above and in the remainder of the paper, we write the list (£1 > $1,...,%n © 
Sn) for the only function y: X > S with support {x1,...,2,} mapping zx; to si 
and we write the empty list £ for the function constant to 0. For instance, for 
a = uẸ : SSX — SX, the left-semimodule structure is defined for all y1, Y2 € 
SX and x € X as 


(gr + paa) = vila) + pla), 0 (2) =0, (AH? pa) =à: pila). 


Proposition 7 tells us exactly when a (weak) distributive law of the form 
TP — PT exists for an arbitrary monad T on Set. Take then T = S: when are 
the functor S and the natural transformations 7° and py? weakly cartesian? The 
answer has been given in [12] (see also [18]), where a complete characterisation in 
purely algebraic properties for S is provided. In Table 2 we recall such properties. 


Theorem 8 ([12]). Let S be a semiring. 


1. The functor S is weakly cartesian if and only if S is positive and refinable. 

2. nî is weakly cartesian if and only if S enjoys (A) in Table 2. 

3. If S is weakly cartesian, then u$ is weakly cartesian if and only if S enjoys 
(B) and (E) in Table 2. 
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Remark 9. In [12, Proposition 9.1] it is proved that if S enjoys (C) and (D), then 
S is refinable; if S is a positive semifield, then it enjoys (B) and (E). In the next 
Proposition we prove that if S is a positive semifield then it is also refinable, 
hence S and p> are weakly cartesian. 


Proposition 10. If S is a positive semifield, then it is refinable. 
Proof. Let a, b, cand din S be such that a +b = c + d. If a +b = 0, then take 


x = y = z = t = 0, otherwise take 

ac ad be i bd 
— = O = = 
cd ” 


c+d’ c+d’ c+d 
Then s+y=a,z+t=b,4+z2=c,yt+t=d. 


Example 11. It is known that, for S = N, a distributive law 6: SP > PS exists. 
Indeed one can check that all conditions of Theorem 8 are satisfied, therefore we 
can apply Proposition 7.1. In this case, the monad SX is naturally isomorphic 
to the commutative monoid monad, which given a set X returns the collection 
of all multisets of elements of X. The law ô is well known (see e.g. [15,23]): given 
a multiset (A1,..., An) of subsets of X in SPX, where the A;’s need not be 
distinct, it returns the set of multisets {(a1,...,@n) | a; € Aj}. 


Convex Subsets of Left-semimodules. Theorem 8 together with Propo- 
sition 7.1 tell us that whenever the element 1 of S can be decomposed as a 
non-trivial sum there is no distributive law 6: SP —> PS. Semirings with this 
property abound, for example Q, R, Rt with the usual operations of sum an 
multiplication, as well as Bool (since 1 V 1 = 1). Such semirings are precisely 
those for which the notion of convex subset of their left-semimodules is non- 
trivial. For the existence of a weak distributive law, however, this condition on 
ls is not required: convexity will indeed play a crucial role in the definition of 
the weak distributive law. 


Definition 12. Let S be a semiring, X an S-left-semimodule and A C X. The 
convex closure of A is the set 


T= {Sora inew wed Sr aibex 


i=l i=1 


The set A is said to be convex if and only if A = A. 


Recalling that the category of S-left-semimodules is isomorphic to EM(S), 
we can use (4) to translate Definition 12 of convex subset of a semimodule into 
the following notion of convex subset of a S-algebra a: SX > X. 


Definition 13. Let S be a semiring, (X,a) € EM(S), A C X. The convex 
closure of A in (X,a) is the set 


oe {ato |p € SX, supp p CA, X` (a) = 7 


cExX 
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A is said to be convex in (X,a) if and only if A = A’. We denote by P2X the 
set of convex subsets of X with respect to a. 


Remark 14. Observe that @ is convex, because 0” = Ø, since there is no p ESX 
with empty support such that X „ex y(x) = 1. 


Example 15. Suppose S is such that 7° is weakly cartesian (equivalently (A) 
holds: r +y = 1 => x =0or y = 0), for example S = N, and let (X,a) € 
IM(S). A p E€ SX such that ”` „ey p(x) = 1 and supp p C A is a function that 
assigns 1 to exactly one element of A and 0 to all the other elements of X. These 
functions are precisely all the A, for those elements x € A. Since a: SX > X 
is a structure map for an S-algebra, it maps the function A, into x. Therefore 
A’ = {a(A,) | £ E€ A} = {x | £ € A} = A. Thus all A € PSX are convex. 


Example 16. When S = Bool, we have that S is naturally isomorphic to Py, the 
finite powerset monad, whose algebras are idempotent commutative monoids 
or equivalently semilattices with a bottom element. So, for (X,a) € EM(S), a 
p € SX such that X ex p(x) = 1 and suppy C A is any finitely supported 
function from X to Bool that assigns 1 to at least one element of A. Intuitively, 
such a ọ selects a non-empty finite subset of A, then a(y) takes the join of all 


the selected elements. Thus, A” adds to A all the possible joins of non-empty 
finite subsets of A: A is convex if and only if it is closed under binary joins. 


4 The Weak Distributive Law 6: SP > PS 


Weak extensions of S to KI(P) = Rel only consist of extensions of the functor 
S and of the multiplication uS, for which necessary and sufficient conditions 
are listed in Theorem 8. Hence for semirings S' satisfying those criteria a weak 
distributive law 6: SP — PS does exist, and it is unique because there is only 
one extension of the functor S to Rel. 


Theorem 17. Let S be a positive, refinable semiring satisfying (B) and (E) in 
Table 2. Then there exists a unique weak distributive law 6: SP + PS defined 
for all sets X and 6€ SPX as: 


VA € PX.®(A) = E V(A,2) (a) 
dx (®) = f E€ SX | Iy € S(x). exiis SHA J (0) (6) 
Adu 


where Sx is the set {(A,x) © PX x X | ae A}. 


The above 6, which is obtained by following the standard recipe of Proposition 7, 
is illustrated by the following example. 


Example 18. Take S =R* with the usual operations of sum and multiplication. 
Consider X = {x,y,z,a,b}, Ai = {x,y}, Ao = {y,z} and As = {a,b}. Let 
P € S(PX) be defined as 


= (ApH 5, ApH 9, A; +> 13) 
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and (A) = 0 for all other sets A C X, so supp ® = {A,, A2, A3}. In order to 
find an element y € ôx (P), we can first take a Y € S(Sx) satisfying condition 
(a) in (6) and then compute the y € SX using condition (b). 

Among the w € S(Sx), consider for instance the following: 


_ (Ai, x2) 2 (Aa,y) = 4 (A3,a) +> 6 
= dat a 


Since (A1) = Y(A1, £) + Y(A1,y), P(A2) = Y(A2,y) + Y(A2, z) and (A3) = 
(Az, a) + Y(A3,b), we have that ~ satisfies condition (a) in (6). Condition (b) 
forces y to be the following: 


p=(aH~2, yo34+4, 245, a6, bH 7). 


Remark 19. If S enjoys (A) in Table 2, then the transformation ô given in (6) 
is actually a distributive law, and for S = N we recover the well-known 6 of 
Example 11. Example 18 can be repeated with S = N: then @ is the multiset 
where the set A; occurs five times, Ag nine times and As thirteen times. The 
elements of dx (P) are all those multisets containing one element per copy of Aj, 
Ay and Ag in supp ®. The y provided indeed contains five elements of A; (two 
copies of x and three of y), nine elements of Ay (four copies of y and five of z), 
thirteen elements of Ag (six copies of a and seven of b). 


As Example 18 shows, each element y of dx(®) is determined by a function 
w choosing for each set A € supp ® a finite number of elements «#,...,24 in A 


? m 
and s#,...,s4 in S in such a way that Dja sf = (A). The function y maps 


each a to s^ if the sets in supp ® are disjoint; if however there are a 


j 
such that z = xP (like y in Example 18), then g3 is mapped to s4 + sP. 
Among those w’s, there are some special, minimal ones as it were, that choose 
for each A in supp ® exactly one element of A, and assign to it (A). The induced 
p in ôx (P) can be described as }`4cu-1{1} P(A) (equivalently S(u) (®)') where 
u: supp ® — X is a function selecting an element of A for each A € supp ® (that 


is u(A) € A). We denote the set of such y’s by c(®). 
c(®) = {S(u)(®) | u: supp B > X such that VA E€ supp®.u(A) € A} (7) 


and Las 


Example 20. Take X, A; and Ag as in Example 18, but a different, smaller, 
P € S(PX) defined as @ = (Ay ++ 1, Ag+ 2). There are only four functions 
u: supp ® —> X such that u(A) € A and thus only four functions ¢ in ¢(®): 


uy = (A4 > a, Ag > y) 
uz = (A; > a, Ap +> 2) 
ug = (A1 y, Agt>y) 
u4 = (A> y, Ag z) 


pı=(1>1, y 2) 
p2 = (x> 1, z 2) 
p3 = (y > 3) 
pa = ly= 1, z 2) 


Observe that the function y = (x > 1,y > 1,z > 1) belongs to ôx(®) but not 
to c(@). Nevertheless y can be retrieved as the convex combination $- p1 +$- y2. 


1 More precisely, we should write S(u)(’) where P’ is the restriction of ® to supp ®. 
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Our key result states that every p € ôx(®) can be written as a convex 
combination (performed in the S-algebra (SX, u$ )) of functions in ¢(®), at least 
when S is a positive semifield, which by Remark 9 and Proposition 10 satisfies 
all the conditions that make (6) a weak distributive law. The proof is laborious 
and omitted here: we only remark that divisions in S play a crucial role in it. 


Theorem 21. Let S be a positive semifield. Then for all sets X and 6 € SPX 


5x(®) = | $W) |W E€ 8X. F Wy) =1, supt C e(d) b = dP). (8) 
pesx 


Remark 22. If we drop the hypothesis of semifield and only have the minimal 
assumptions of Theorem 17, then (8) does not hold any more: S = N is a 
counterexample. Indeed, in this case every subset of SX is convex with respect 
to u$ (see Example 15), therefore we would have 6x(@) = ¢(®), which is false: 
the function y of Example 18 is an example of an element in dx (®) \ ¢(®). 


Remark 23. When S = Bool (which is a positive semifield), the monad S coin- 
cides with the monad P;. The function ¢(-) in (7) can then be described as 


c(A) = {Py (u)(A) | u: A X such that VA € A.u(A) € A} 


for all A € PPX. It is worth remarking that this is the transformation y 
appearing in Example 9 of [27] (which is in turn equivalent to the one in Example 
2.4.7 of [31]). This transformation was erroneously supposed to be a distributive 
law, as it fails to be natural (see [28]). However, by taking its convex closure, as 
displayed in (8), one can turn it into a weak distributive law. 


5 The Weak Lifting of P to EM(S) 


By exploiting the characterisation of the weak distributive law 6 (Theorem 21), 
we can now describe the weak lifting of P to EM(S) generated by ô. 

Recall from Definition 13 that PIX is the set of convex subsets of X with 
respect to the S-algebra a: SX — X. The functions (x,a): PEX > PX and 
T™(x,a): PX — P?X are defined for all Ac P?X and B € PX as 


sae 


U(X,a) (A) =A and T(X,a) (B) =B; (9) 


that is (x,a) is just the obvious set inclusion and (x,a) performs the convex 
closure in a. The function ag: SPX — P$ X is defined for all 6 € SPS X as 


aa(®) = {a(y) | p € e(8)}. (10) 


To be completely formal, above we should have written c¢(S(v)(®)) in place 
of c(®), but it is immediate to see that the two sets coincide. Proving that 
Qq: SPEX — PLX is well defined (namely, ag(#) is a convex set) and forms an 
S-algebra requires some ingenuity and will be shown later in Section 5.1. The 
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assignment (X,a) ++ (PX, aa) gives rise to a functor P: EM(S) > EM(S) 
defined on morphisms f: (X,a) > (X’,a’) as 


P(f)(A) = PF(A) (11) 


for all A € P2X. For all (X,a) in EM(S), nfa): (X,a) > P(X,a) and 
ee a)! PP(X,a) > P(X,a) are defined for x € X and A € Pee (P! X) as 


na(s) ={2} and ply (A) = YJ A (12) 
AEA 
Theorem 24. Let S be a positive semifield. Then the canonical weak lifting 
of the powerset monad P to EM(S), determined by (8), consists of the monad 
(P, n”, u?) on EM(S) defined as in (10), (11), (12) and the natural transfor- 
mations 1: USP —> PUS and n: PUS > USP defined as in (9). 


It is worth spelling out the left-semimodule structure on PX corresponding 
to the S-algebra ag: SPX + P$ X. Let us start with A-%- A for some A € PX. 
By (5), A- A = aq(®) where @ = (A + A). By (10), aa(®) = {alp) | 
p E ¢(®)}. Following the definition of e(®) given in (7), one has to consider 
functions u: supp® + X such that u(B) € B for all B € supp®: if A Æ 0, 
then supp = {A} and thus, for each x € A, there is exactly one function 
Ux: supp — X mapping A into v. It is immediate to see that S(us)(®) is 
exactly the function (x + A) and thus a(S(uz)(®)) is, by (5), A- x. Now if A = 0, 
then supp ® = Ú, so there is exactly one function u: supp ® —> X and S(u)(®) 
is the function mapping all x € X into 0 and thus, by (5), a(S(u)(®)) = 0°. 
Summarising, 

ream {Doel sem if AA 0 (13) 
{or} if \=0 


Following similar lines of thoughts, one can check that 
A+ B={x+"%y | cE A, ye B} and 07e = {0*}. (14) 


Remark 25. By comparing (14) and (13) with (4) and (5) in [25], it is immediate 
to see that our monad P coincides with a slight variation of Jacobs’s convex 
powerset monad C, the only difference being that we do allow for Ø to be in 
P2X. Jacobs insisted on the necessity of C(X) to be the set of non-empty convex 
subsets of X, because otherwise he was not able to define a semimodule structure 
on C(X) such that 0-0 = {0°}. However, we do manage to do so, since by (13), 
0- A = 0° for all A and in particular for A = Ý. At first sight, this may look like 
an ad-hoc solution, but this is not the case: it is intrinsic in the definition of the 
unique weak lifting of P to EM(S), as stated by Theorem 24 and shown next. 


5.1 Proof of Theorem 24 


By Theorem 5, the weak distributive law (6) corresponds to a weak lifting P of 
P to EM(S), which we are going to show coincides with the data of (9)-(12). The 
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image along P of a S-algebra (X,a) will be a set Y together with a structure 
map Qa that makes it a S-algebra in turn. Garner |15, Proposition 13] gives 
us the recipe to build Y and a, appropriately. Y is obtained by splitting the 
following idempotent in Set: 


Ss 
exa = PX ZS S(PX) 2 P(SX) 2 PX (15) 


as a composite €(x,a) = 4(x,a) © T(X,a), Where 77x,q) is the corestriction of e( x,a) 
to its image and (x,a) is the set-inclusion of the image of e(x, a) into PX. In 
other words, Y is the set of fixed points of €( xq). Qa is obtained as the composite 


St(x,a) T(X,a) 


da= Sy UES Spy psr a p ea y 


Let us, then, fix an S-algebra (X,a). Given A € PX, we have n3x(A) = 
Aa: PX > S, the Dirac-function centred in A. The set dx(n% y(A)) has a 
simple description, shown in the next Lemma. 


Lemma 26. For all A € PX 


5x(nBx(A)) = f E SX | supp E A, X` o(a) = i} 


cTEX 


The image along A of the idempotent e is therefore 


e(A) = Pa(dx (nx (A))) = {eto |p € SX, supp p CA, X (z) = r} =A". 


zEX 


Hence the idempotent e computes the convex closure of elements of PX and 
its fixed points are precisely the convex subsets of X with respect to the struc- 
ture map a. Therefore, the carrier set of P(X ,@) is precisely PX, the natural 
transformations m and ų¿ are, respectively, the convex closure operator and the 
set-inclusion of PX into PX as in (9). 

PX is then equipped with a structure map aq: SPEX > PX given by 


St(x.a 
a SPEX eS spx E. 


T™(X,a) 


PSX s py = pax: 


Let us try to calculate ag: given 6: PIX — S with finite support, we have that 
S(lx,a))(&) is just the extension of to PX which assigns 0 to each non-convex 
subset of X. If we write ų instead of (x,a) for short, we have 


a 


q(P) = Pa(dx(S(4)(P))) . (16) 
Next, we can use the following technical result. 


Proposition 27. Let (X,a) be a S-algebra. If A is a convex subset of (SX, wu), 
then Pa(A) is convex in (X,a). 
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Since 5x (@’) is the convex closure of ¢(®’) in (SX, uS,) for every P € SPX, 
by Proposition 27 we can avoid to perform the a-convex closure in (16). Therefore 
S 
-orn rne 
aa(®) = Pa(ôx (SU)(8))) = Pa(e(S()(P)) *). 


In the next Proposition we show that also the uŠ-convex closure is superfluous, 
due to the fact that  € SPEX (and not simply SPX), thus obtaining (10). 


Proposition 28. Let S be a positive semifield, (X,a) a S-algebra, B E€ SPEX. 
Then Pa(dx(S(t)(®))) = Pa(ce(S(1)(8))). 


Proof. In this proof we shall simply write ® instead of the more verbose S(z)(®). 
We want to prove that 


Pa(dx(#)) = 
fal) | y € SX. Ju: supp P > X.u(A)EA, Va € X. y(x) = 5 B(A) } (17) 
AEsupp Ë 
u(A)=a 


where we have, by Theorem 21, that 


Pa(dx(#)) = {a(ux(W)) |W € SX, J` W(y) = 1, supp C e(8)}. 
pESX 


First of all, 0 is not a S-algebra, because there is no map S(@) — @ given that 
S(0) = {0:0 > S}, hence X # 4. Next, if =e: PX — S, namely the function 
constant to 0, then c(@) = {e: X — S} therefore one can easily see that the 
left-hand side of (17) is equal to {a(e: X —> S)}. For the same reason, the right- 
hand side is also equal to {a(e: X — S')}. Moreover, if (0) 4 0, then there is 
no u: supp® — X such that u() € Ø, so c(®) = Ø and so is the left-hand side 
of (17); for the same reason, also the right-hand side is empty. 

Suppose then, for the rest of the proof, that 8 4 0 and that (0) = 0. 

For the right-to-left inclusion in (17): given Y € ¢(®), consider Y = n2 y (Y) = 
Ay € S?X. Then Y clearly satisfies all the required properties and u$ (Y) = y. 

The left-to-right inclusion is more laborious. Let YW € S?X be such that 
X esx W(x) = 1 and such that suppW C c(®), that is, for all p € supp Y 
there is u¥: supp® —> X such that u?(A) € A for all A € supp® and y = 
S(u*)(&). We have to show that a(u(W)) = a(w) for some Y € SX of the form 
J Acsupp p P(A): u(A) for some choice function u: supp —> X. Notice that the 
given W is a convex linear combination of functions y’s in SX like the one we have 
to produce: the trick will be to exploit the fact that each A € supp ® is convex. 
Here we shall only give a sketch of the proof. Suppose supp ® = {A,,..., An} 
and supp W = {y',...,y™}. Call uf the choice function that generates yf. Then 
W is of this form: 


ul(A1) =œ (A1) u™ (A1) > B(A) 
v= ( Hwy"), ..., : awo) 
ut (An) =œ B( An) u™ (An) = (Ap) 
sE aa —1—— 


gl ym 
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Define the following element of S? X 


u'(A) > Up") u! (An) + Php") 
y'= ( : +» B(A), Eiig : aan) 
u™ (A1) + P(g) ul (An) = Y(p™) 


Observe that u+(A;),...,u’"(A;) € A; by definition, and A; is convex by assump- 
tion: since >z; W(p?) = 1, we have that a(x’) € Aj. Set then u(A;) = a(x’) 
and define Yy = S(a )(w'): we have 7 € c(®) with u as the generating choice 
function. It is not difficult to see that = (Y) = u$ (Y'), therefore we have 


a() = a(S(a)(W')) = a(uX(W’)) = a(uX (®)) 


as desired. 


The rest of the proof of Theorem 24, concerning the action of P on morphisms 
and the unit and multiplication of the monad P, consists in following the recipe 
provided by Garner [15]. 


6 The Composite Monad: an Algebraic Presentation 


We can now compose the two monads P and S by considering the monad arising 
from the composition of the following two adjunctions: 


FS p? 
m pA TA a 
Set L EM(S) ı aM (P) 
Te Se 
us uP 


Direct calculations show that the resulting endofunctor on Set, which we call 
P.S, maps a set X and a function f: X — Y into, respectively, 


P.SX =PHX(SX) and P.S(f)(A) ={S(f)(@) |e A} (18) 


for all A € P.SX. For all sets X, ne?: X > PSX and wie: Pes PSX > 
P-.SX are defined as 


neeS(w)={Ac} and pS (ef) = (J ays (2) (19) 


for alla € X and H € P.SP.SX. 


Theorem 29. Let S be a positive semifield. Then the canonical weak distribu- 
tive law 6: SP —> PS given in Theorem 21 induces a monad P-S on Set with 
endofunctor, unit and multiplication defined as in (18) and (19). 
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Recall from Remark 25 that the monad C: EM(S) + EM(S) from [25] coin- 
cides with our lifting P modulo the absence of the empty set. The same happens 
for the composite monad, which is named CM in [25]. The absence of Ø in CM 
turns out to be rather problematic for Jacobs. Indeed, in order to use the stan- 
dard framework of coalgebraic trace semantics [20], one would need the Kleisli 
category KI(CM) to be enriched over CPPO, the category of w-complete partial 
orders with bottom and continuous functions. KI(CM) is not CPPO-enriched 
since there is no bottom element in CM(X). Instead, in P.SX the bottom is 
exactly the empty set; moreover, KI(P.S) enjoys the properties required by [20]. 


Theorem 30. The category K\(P.S) is enriched over CPPO and satisfies the 
left-strictness condition: for all f: X + PSY and Z set, Lyzo f = Lx z. 


It is immediate that every homset in KI(P.S) carries a complete partial order. 
Showing that composition of arrows in KI(P.S) preserves joins (of w-chains) 
requires more work: the proof, omitted here, crucially relies on the algebraic 
theory presenting the monad P.S, illustrated next. 


An Algebraic Presentation. Recall that an algebraic theory is a pair T = 
(X, E) where X is a signature, whose elements are called operations, to each of 
which is assigned a cardinal number called its arity, while E is a class of formal 
equations between X-terms. An algebra for the theory 7 is a set A together with, 
for each operation o of arity « in X, a function o4: A* > A satisfying the equa- 
tions of E. A homomorphism of algebras is a function f: A > B respecting the 
operations of X in their realisations in A and B. Algebras and homomorphisms 
of an algebraic theory T form a category Alg(7). 


Definition 31. Let M be a monad on Set, and T an algebraic theory. We say 
that T presents M if and only if EM(M) and Alg(7) are isomorphic. 


Left S-semimodules are algebras for the theory LSM = (Xesm, Eesm) 
where Xsesm = {+,0} U{A- | A € S} and Egsyy is the set of axioms in 
Table 1. As already mentioned in Section 3, left S-semimodules are exactly S- 
algebras and morphisms of S-semimodules coincide with those of S-algebras. 
Thus, the theory LSM presents the monad S. 

Similarly, semilattices are algebras for the theory SL = (S'sc, Esc) where 
isc = {U, L} and Esz is the set of axioms in Table 1. It is well known that 
semilattices are algebras for the finite powerset monad. Actually, this monad is 
presented by SL. In order to present the full powerset monad P we need to take 
joins of arbitrary arity. A complete semilattice is a set X equipped with joins 
Uea x for all-not necessarily finite-A C X. Formally the (infinitary) theory 
of complete semilattices is given as CSL = (Xesc, Ecsc) where Xese = {L]; | 
I set} and Eegz is the set of axioms displayed in Table 3 (for a detailed treatment 
of infinitary algebraic theories see, for example, [30]). 


We can now illustrate the theory (X, Æ) presenting the composed monad 
PS: the operations in X are exactly those of complete semilattices and S- 
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Table 3. The sets of axioms Ecsc for complete semilattices: the second axiom gen- 
eralises the usual idempotency and commutativity properties of finitary U, while the 
third one generalises associativity and neutrality of | Jọ = L. 


Lieto} Zi = £o 


Uess =User tpi) for all f: I + J surjective 
Lier ce Uses Liep-145} zi forall f: I => J 


semimodules, while the axioms are those of complete semilattices and S-semi- 
modules together with the set Ep of distributivity axioms illustrated below. 


A| jes | |à si ford 40, | |ai+|ly= |] sity; (20) 
ier icl iel jet (i, j)EIxJ 
In short, X = Xesc U Xesm and E = Eese U Egsm U Ep. 
Theorem 32. The monad P.S is presented by the algebraic theory (X, E). 


The presentation crucially relies on the fact that P.S is obtained by com- 
posing P and S via ô. Indeed, we know from general results in [11,15] that P.S- 
algebras are in one to one correspondence with ô-algebras [3], namely triples 
(X,a,b) such that a: SX > X is a S-algebra, b: PX — X is a P-algebra and 
the following diagram commutes. 


SPX bx PSX 
se| [Pa 
SX PX (21) 
> ae a 
X 


The S-algebra a corresponds to a S-semimodule (X,+, 0, A-), the P-algebra b 
to a complete lattice (X,|_|;) and the commutativity of diagram (21) expresses 
exactly the distributivity axioms in (20). 


Example 33. Let S be R* and let [a,b] with a,b € R* denote the set {x € Rt | 
a < x < b} and [a,oo) the set {x € Rt | a < x}. For 1 = {x}, P.S(1) = {0} U 
{[a, b] | a,b € Rt} U {[a, +00) | a € Rt}. The P.S-algebra p72: P.SP.S1 > 
P-S1 induces a 6-algebra where the structure of complete lattice is given as? 


[| Ap linfier, Qi, SUPier bi] if, for all į € Í; A; = [ai, bi] A SuPer bi € Rt 
i linfies ai, 00) otherwise 


icI 
The R*-semimodule is as expected, e.g., [a1, bi] + [a2, b2] = [a1 + a2, bı + bə]. 


? For the sake of brevity, we are ignoring the case where some A; = 0. 
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Finite Joins and Finitely Generated Convex Sets. We now consider the 
algebraic theory (X, £’) obtained by restricting (X, Æ) to finitary joins. More 
precisely, we fix 


X = Sse U esm E! = Esc UEcsm U Ep’ 


where (sc, Esc) is the algebraic theory for semilatices, (Yes m, Eesm) is the 
one for S-semimodules, and Ep, is the set of distributivity axioms illustrated 
in Table 1. Thanks to the characterisation provided by Theorem 32, we easily 
obtain a function translating ©’-terms into convex subsets. 


Proposition 34. Let Ts: p(X) be the set of &”-terms with variables in X quo- 
tiented by E’. Let [-]x: Ts, m(X) + P-S(X) be the function defined as 


[x] = {A,} for z € X et a fA #0 
[0] = {0°} {0 2 otherwise 
[1] =9 li ttl = {fH fo | fell fo € Del} 


lti U to] = fal U [ea] 


Let |]: Tse + PS be the family {[-]x}xe\set|. Then [|]: Toe 4 PS is a 
map of monads and, moreover, each |-].x: Ts 5 (X) + P.S(X) is injective. 


We say that a set A E€ P.S(X) is finitely generated if there exists a finite set 
B C S(X) such that B = A. We write P-S(X) for the set of all A € P.S(X) 
that are finitely generated. The assignment X ++ P/-S(X) gives rise to a monad 
P cS: Set — Set where the action on functions, the unit and the multiplication 
are defined as for P.S. 


Theorem 35. The monads Ts p and PfcS are isomorphic. Therefore (X', E") 
is a presentation for the monad PS. 


Example 36. Recall P.S(1) for S = Rt from Example 33. By restricting to 
the finitely generated convex sets, one obtains Pr-S(1) = {0} U {[a,b] | a,b € 
Rt}, that is the sets of the form [a,oo) are not finitely generated. Table 4 
illustrates the isomorphism [-]: Ts æ (1) + PeS(1). It is worth observing that 
every closed interval [a,b] is denoted by a term in Ts g (1) for 1 = {a}: indeed, 
[(a- x) (b- x)| = [a,b]. For 2 = {x,y}, PfeS (2) is the set containing all convex 
polygons: for instance the term (r1- 4+ s1: y) U (r2 -£+ s2- y) U (r3: £+ 53-y) 
denote a triangle with vertexes (r;,5;). For n = {£0,...£n—1}, it is easy to see 
that PfeS(n) contains all convex n-polytopes. 


7 Conclusions: Related and Future Work 


Our work was inspired by [17] where Goy and Petrisan compose the monads of 
powerset and probability distributions by means of a weak distributive law in 
the sense of Garner [15]. Our results also heavily rely on the work of Clementino 
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Table 4. The inductive definition of the function [-]i: Ts g (1) + P-S(1) for 1 = {x}. 


d-a,r-b] ifA AO, [t] = [a,b] 
A- t= 40 if\ £0, [4] =0 
0,0] otherwise 
x] = [1,1 _ J [ai +a2,bı + bə] if [ti] = [a;, bi] 
[ol = 0.0 fa +a] = fi otherwise 
[1] =90 min ai, max bi] if [ti] = [ai, bi] 
[ta U to] = ar, bı] if [t:] = [a1, bi], [t2] = 9 
az, ba] if [t2] = [a2, b2], [tı] = 0 
0 otherwise 


et al. [12] that illustrates necessary and sufficient conditions on a semiring S 
for the existence of a weak distributive law 6: SP — PS. However, to the best 
of our knowledge, the alternative characterisation of 6 provided by Theorem 21 
was never shown. 


Such characterisation is essential for giving a handy description of the lifting 
P: EM(S) —> EM(S) (Theorem 24) as well as to observe the strong relationships 
with the work of Jacobs (Remark 25) and the one of Klin and Rot (Remark 23). 
The weak distributive law 6 also plays a key role in providing the algebraic 
theories presenting the composed monad P.S (Theorem 24) and its finitary 
restriction PfeS (Theorem 35). These two theories resemble those appearing in, 
respectively, [17] and [10] where the monad of probability distributions plays the 
role of the monad S in our work. 


Theorem 30 allows to reuse the framework of coalgebraic trace semantics [20] 
for modelling over KI(P.S) systems with both nondeterminism and quantitative 
features. The alternative framework based on coalgebras over EM(P.S) directly 
leads to nondeterministic weighted automata. A proper comparison with those 
in [13] is left as future work. Thanks to the abstract results in [7], language 
equivalence for such coalgebras could be checked by means of coinductive up- 
to techniques. It is worth remarking that, since 6 is a weak distributive law, 
then thanks to the work in [16], up-to techniques are also sound for “convex- 
bisimilarity” (in coalgebraic terms, behavioural equivalence for the lifted functor 
P: EM(S) > EM(S)). 


We conclude by recalling that we have two main examples of positive semi- 
fields: Bool and R*. Booleans could lead to a coalgebraic modal logic and trace 
semantics for alternating automata in the style of [27]. For R*, we hope that 
exploiting the ideas in [34] our monad could shed some lights on the behaviour 
of linear dynamical systems featuring some sort of nondeterminism. 
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Abstract. The origin semantics for transducers was proposed in 2014, 
and it led to various characterizations and decidability results that are 
in contrast with the classical semantics. In this paper we add a further 
decidability result for characterizing transducers that are close to one- 
way transducers in the origin semantics. We show that it is decidable 
whether a non-deterministic two-way word transducer can be resynchro- 
nized by a bounded, regular resynchronizer into an origin-equivalent one- 
way transducer. The result is in contrast with the usual semantics, where 
it is undecidable to know if a non-deterministic two-way transducer is 
equivalent to some one-way transducer. 


Keywords: String transducers - Resynchronizers - One-way transducers 


1 Introduction 


Regular word-to-word functions form a robust and expressive class of transforma- 
tions, as they correspond to deterministic two-way transducers, to deterministic 
streaming string transducers [1], and to monadic second-order logical transduc- 
tions [11]. However, the transition from word languages to functions over words 
is often quite tricky. One of the challenges is to come up with effective charac- 
terizations of restricted transformations. A first example is the characterization 
of functions computed by one-way transducers (known as rational functions). 
It turns out that it is decidable whether a regular function is rational [14], 
but the algorithm is quite involved [3]. In addition, non-determinism makes the 
problem intractable: it is undecidable whether the relation computed by a non- 
deterministic two-way transducer can be also computed by a one-way transducer, 
[2]. A second example is the problem of knowing whether a regular word func- 
tion can be described by a first-order logical transduction. This question is still 
open in general [16], and it is only known how to decide if a rational function is 
definable in first-order logic [13]. 

Word transducers with origin semantics were introduced by Bojańczyk [4] 
and shown to provide a machine-independent characterization of regular word- 
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Fig. 1: On the left, an input-output pair for a transducer T that reads wd and 
outputs dw, d € X, w € X*, the arrows denoting origins. On the right, the same 
input-output pair, but with origins modified by a resynchronizer R. The resyn- 
chronized relation R(T) is order-preserving, and T is one-way resynchronizable. 


to-word functions. The origin semantics, as the name suggests, means tagging 
the output by the positions of the input that generated that output. 

A nice phenomenon is that origins can restore decidability for some inter- 
esting problems. For example, the equivalence of word relations computed by 
one-way transducers, which is undecidable in the classical semantics [18,19], is 
PSPACE-complete for two-way non-deterministic transducers in the origin se- 
mantics [7]. Another, deeper, observation is that the origin semantics provides 
an algebraic approach that can be used to decide fragments. For example, [4] 
provides an effective characterization of first-order definable word functions un- 
der the origin semantics. As for the problem of knowing whether a regular word 
function is rational, it becomes almost trivial in the origin semantics. 

A possible objection against the origin semantics is that the comparison of 
two transducers in the origin semantics is too strict. Resynchronizations were 
proposed in order to overcome this issue. A resynchronization is a binary relation 
between input-output pairs with origins, that preserves the input and the out- 
put, changing only the origins. Resynchronizations were introduced for one-way 
transducers [15], and later for two-way transducers [7]. For one-way transduc- 
ers rational resynchronizations are transducers acting on the synchronization 
languages, whereas for two-way transducers, regular resynchronizations are de- 
scribed by regular properties over the input that restrict the change of origins. 
The class of bounded* regular resynchronizations was shown to behave very 
nicely, preserving the class of transductions defined by non-deterministic, two- 
way transducers: for any bounded regular resynchronization R and any two-way 
transducer T, the resynchronized relation R(T) can be computed by another 
two-way transducer [7]. In particular, non-deterministic, two-way transducers 
can be effectively compared modulo bounded regular resynchronizations. 

As mentioned above, it is easy to know if a two-way transducer is equiv- 
alent under the origin semantics to some one-way transducer [4], since this is 
equivalent to being order-preserving. But what happens if this is not the case? 
Still, the given transducer T can be “close” to some order-preserving transducer. 
What we mean here by “close” is that there exists some bounded regular resyn- 


4 “Bounded” refers here to the number of source positions that are mapped to the 
same target position. It rules out resynchronizations such as the universal one. 
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chronizer R such that R(T) is order-preserving and all input-output pairs with 
origins produced by T are in the domain of R. We call such transducers one-way 
resynchronizable. Figure 1 gives an example. 

In this paper we show that it is decidable if a two-way transducer is one-way 
resynchronizable. We first solve the problem for bounded-visit two-way transduc- 
ers. A bounded-visit transducer is one for which there is a uniform bound for the 
number of visits of any input position. Then, we use the previous result to show 
that one-way resynchronizability is decidable for arbitrary two-way transducers, 
so without the bounded-visit restriction. This is done by constructing, if possible, 
a bounded, regular resynchronization from the given transducer to a bounded- 
visit transducer with regular language outputs. Finally, we show that bounded 
regular resynchronizations are closed under composition, and this allows to com- 
bine the previous construction with our decidability result for bounded-visit 
transducers. 


Related work and paper overview. The synthesis problem for resynchronizers asks 
to compute a resynchronizer from one transducer to another one, when the two 
transducers are given as input. The problem was studied in [6] and shown to 
be decidable for unambiguous two-way transducers (it is open for unrestricted 
transducers). The paper [21] shows that the containment version of the above 
problem is undecidable for unrestricted one-way transducers. 

The origin semantics for streaming string transducers (SST) [1] has been 
studied in [5], providing a machine-independent characterization of the sets of 
origin graphs generated by SSTs. An open problem here is to characterize origin 
graphs generated by aperiodic streaming string transducers [10,16]. Going be- 
yond words, [17] investigates decision problems of tree transducers with origin, 
and regains the decidability of the equivalence problem for non-deterministic 
top-down and MSO transducers by considering the origin semantics. An open 
problem for tree transducers with origin is that of synthesizing resynchronizers 
as in the word case. 

We will recall regular resynchronizations in Section 3. Section 4 provides the 
proof ingredients for the bounded-visit case, and the proof of decidability of 
one-way resynchronizability in the bounded-visit case can be found in Section 5. 
Finally, in Section 6 we sketch the proof in the general case. A full version of 
the paper is available at https://arxiv.org/abs/2101.08011. 


2 Preliminaries 


Let X be a finite input alphabet. Given a word w € X* of length |w| = n, a 
position is an element of its domain dom(w) = {1,...,n}. For every position 
i, w(i) denotes the letter at that position. A cut of w is any number from 1 
to |w| + 1, so a cut identifies a position between two consecutive letters of the 
input. The cut 7 = 1 represents the position just before the first input letter, 
and i = |w|+ 1 the position just after the last letter of w. 
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Two-way transducers. We use two-way transducers as defined in [3,6], with a 
slightly different presentation than in classical papers such as [22]. As usual for 
two-way machines, for any input w € ©*, w(0) = F and w(|w| + 1) = 4, where 
+,4 ¢ X are special markers used as delimiters. 

A two-way transducer (or just transducer from now on) is a tuple T = 
(Q, X, T, A,I, F), where X,I are respectively the input and output alphabets, 
Q = Q- W Q> is the set of states, partitioned into left-reading states from Q- 
and right-reading states from Q», I C Q» is the set of initial states, F C Q is 
the set of final states, and A C Q x (X’'w {F, 4}) x I™ x Q is the finite transition 
relation. Left-reading states read the letter to the left, whereas right-reading 
states read the letter to the right. This partitioning will also determine the head 
movement during a transition, as explained below. 

As usual, to define runs of transducers we first define configurations. Given 
a transducer T and a word w € X*, a configuration of T on w is a state-cut pair 
(q,i), with q E€ Q and 1 <i < |w| + 1. A configuration (q,7), 1 < i < Jw| +1 
means that the automaton is in state q and its head is between the (i — 1)-th 
and the i-th letter of w. The transitions that depart from a configuration (q, i) 
and read a are denoted (q,i) —*+ (q’,i’), and must satisfy one of the following: 
(1) ¢E€Q,7¢ € Q~, a= w(i), (q,a, v, q’) € A, and t =i+1, 

(2) q E Q>, d E Q<, a = w(i), (q,a, v,q') € A, and i’ = i, 

(3) q E Qz, d € Q~, a = w(i — 1), (q,a, v,q') € A, and 7’ =i, 

(4) q E€ Qz, d € Qz, a = w(i — 1), (q,a,v,q') € A, and i’ = i — 1. When T 
has only right-reading states (i.e. Q. = 0), its head can only move rightward. 
In this case we call T a one-way transducer. 


Qjo |v2 im |Um 


; 2) aj |u ; 

A run of T on w is a sequence p = (q1,i1) —> (Q2,i2) 
(Gm+1;?m+1) of configurations connected by transitions. Note that the positions 
JisJ2,-++sJm Of letters do not need to be ordered from smaller to bigger, and 
can differ slightly (by +1 or —1) from the cuts 7, i2,...,%m41, since cuts take 
values in between consecutive letters. 

A configuration (q, i) on w is initial (resp. final) ifq € I andi = 1 (resp. q € F 
and i = |w|+1). A run is successful if it starts with an initial configuration and 
ends with a final configuration. The output associated with a successful run 
p as above is the word vjv2---Um E€ I*. A transducer T defines a relation 
[T] € X* x I™* consisting of all the pairs (u, v) such that v is the output of some 
successful run p of T on u. 


Origin semantics. In the origin semantics for transducers [4] the output is tagged 
with information about the position of the input where it was produced. If 
reading the i-th letter of the input we output v, then all letters of v are tagged 
with i, and we say they have origin i. We use the notation (v,i) for v € I* 
to denote that all positions in the output word v have origin i, and we view 


(v,i) as word over the alphabet I’ x N. The outputs associated with a successful 
by |v1 b2|v2 bm |Ym 


run p = (q1,41) —> (g2,t2) — (43,13) =" (dm+1,im+1) in the origin 
semantics are the words of the form v = (v1, j1) (V2, j2) -+ (Um, jm) over T x N 
where, for all 1 < k < m, jk = ik if qk E Q~, and jk = ik — 1 if qk E€ Q<. Under 
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the origin semantics, the relation defined by T, denoted [T],, is the set of pairs 
o = (u,v) —called synchronized pairs— such that u € X* and v € (I x N)* is 
the output of some successful run on u. 

Equivalently, a synchronized pair (u, v) can be described as a triple (u, v, orig), 
where v is the projection of v on I’, and orig : dom(v) — dom(u) associates with 
each position of v its origin in u. So for v = (v1, 71) (V2, j2) ++: (Um, Jm) as above, 
VU = U,...Um, and, for all positions i s.t. |uy...vp—1| < i < |v, ... Ukl, we have 
orig(t) = jp. Given two transducers Tı, T2, we say they are origin-equivalent if 
[Ti], = [Z2],- Note that two transducers T), T> can be equivalent in the clas- 
sical semantics, [71] = [T2], while they can have different origin semantics, so 


[M1], 4 Tlo- 


Bounded-visit transducers. Let k > 0 be some integer, and p some run of a 
two-way transducer T. We say that p is k-visit if for every i > 0, it has at most 
k occurrences of configurations from Q x {i}. We call a transducer T k-visit if 
for every ø € [T], there is some successful, k-visit run p of T with output o 
(actually we should call the transducer k-visit in the origin semantics, but for 
simplicity we omit this). For example, the relation {(w,W) | w € X*}, where w 
denotes the reverse of w, can be computed by a 3-visit transducer. A transducer 
is called bounded-visit if it is k-visit for some k. 


Common guess. It is often useful to work with a variant of two-way transducers 
that can guess beforehand some annotation on the input and inspect it consis- 
tently when visiting portions of the input multiple times. This feature is called 
common guess [5], and strictly increases the expressive power of two-way trans- 
ducers, including bounded-visit ones. 


3 One-way resynchronizability 


3.1 Regular resynchronizers 


Resynchronizations are used to compare transductions in the origin semantics. 
A resynchronization is a binary relation R C (X* x (T x N)*)? over synchronized 
pairs such that (a,0’) € R implies that o = (u,v, orig) and o’ = (u,v, orig’) 
for some origin mappings orig, orig’ : dom(v) — dom(u). In other words, a 
resynchronization will only change the origin mapping, but neither the input, nor 
the output. Given a relation S C X* x (I x N)* with origins, the resynchronized 
relation R(S) is defined as R(S) = {o' | (a,0’) E R, o € S}. For a transducer 
T we abbreviate R([T],) by R(T). The typical use of a resynchronization R is 
to ask, given two transducers T, T’, whether R(T) and T’ are origin-equivalent. 

Regular resynchronizers (originally called MSO resynchronizers) were intro- 
duced in [7] as a resynchronization mechanism that preserves definability by 
two-way transducers. They were inspired by MSO (monadic second-order) trans- 
ductions [9,12] and they are formally defined as follows. A regular resynchronizer 
is a tuple R = (J, O, ipar, opar, (move, )+, (next+ +’ )+,7) consisting of 
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— some monadic parameters (colors) T = (I;,..., Im) and O = (O1,...,On), 

— MSO sentences ipar, opar, defining languages over expanded input and output 
alphabets, i.e. over X’ = X x 2th) and I” = I x 2th}, respectively, 

— MSO formulas move, (y, z), next, r (z, z’) with two free first-order variables 
and parametrized by expanded output letters 7,7’ (called types, see below). 


To apply a regular resynchronizer as above, one first guesses the valuation of all 
the predicates Ij, Op, and uses it to interpret the parameters J and O. Based 
on the chosen valuation of the parameters O, each position x of the output v 
gets an associated type Te = (v(x), b1,...,0n) € I x {0,1}", where 6; is 1 or 
0 depending on whether x € O; or not. We refer to the output word together 
with the valuation of the output parameters as annotated output, so a word 
over I’ x {0,1}”. Similarly, the annotated input is a word over X x {0,1}™. 
The annotated input and output word must satisfy the formulas ipar and opar, 
respectively. 

The origins of output positions are constrained using the formulas move, 
and next, s’, which are parametrized by output types and evaluated over the an- 
notated input. Intuitively, the formula move, (y, z) states how the origin of every 
output position of type 7 changes from y to z. We refer to y and z as source 
and target origin, respectively. The formula next, v (z, z") instead constrains the 
target origins z,z’ of any two consecutive output positions with types 7 and 7’, 
respectively. 

Formally, R = (J, O, ipar, opar, (move, ), (next;,-’)) defines the resynchroniza- 
tion consisting of all pairs (o, 0’), with o = (u,v, orig), o’ = (u,v, orig’), u € X*, 
and v € I, for which there exist u’ € X'* and v’ € I’ such that 


— Tylu’) =u and mr(v’) =v 

— u’ satisfies ipar and v’ satisfies opar, 

— (u', orig(x), orig'(x)) satisfies move, for all r-labeled output positions x € 
dom(v’), and 

— (u’, orig’ (x), orig'(x+1)) satisfies next, 7 for all z,2+1 € dom(v’) such that 
x and z + 1 have label r and 7’, respectively. 


Example 1. Consider the following resynchronization R. A pair (o, g’) belongs 
to R if o = (uv, uwv, orig), d' = (uv, uwv, orig’), with u,v, w € X+. The origins 
orig and orig’ are both the identity over u and v. The origin of every position 
of w in o (hence a source origin) is either the first or the last position of v. The 
origin of every position of w in o’ (a target origin) is the first position of v. 

This resynchronization is described by a regular resynchronizer that uses two 
input parameters Jı, [2 to mark the last and the first positions of v in the input, 
and one output parameter O to mark the factor w in the output. The formula 
move, (y, z) is either (Jı (y) V Io(y)) A L2(z) or (y = z), depending on whether the 
type T describes a position inside w or a position outside w. 


We now turn to describing some important restrictions on (regular) resyn- 
chronizers. Let R = (1, O, ipar, opar, (move,), (next,,,”)) be a resynchronizer. 
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— R is k-bounded (or just bounded) if for every annotated input u’ € X'*, every 
output type 7 € I”, and every position z, there are at most k positions y 
such that (u’,y,z) satisfies move,. Recall that y, z are input positions. 

— R is T-preserving for a given transducer T, if every o € [T], belongs to the 
domain of R. 

— Ris partially bijective if each move, formula defines a partial, bijective func- 
tion from source origins to target origins. Observe that this property implies 
that R is 1-bounded. 


The boundedness restriction rules out resynchronizations such as the univer- 
sal one, that imposes no restriction on the change of origins. It is a decidable 
restriction [7], and it guarantees that definability by two-way transducers is effec- 
tively preserved under regular resynchronizations, modulo common guess. More 
precisely, Theorem 16 in [7] shows that, given a bounded regular resynchronizer 
R and a transducer T, one can construct a transducer T” with common guess 
that is origin-equivalent to R(T). 


Example 1 (continued). Consider again the regular resynchronizer R described 
in the previous example. Note that R is 2-bounded, since at most two source 
origins are redirected to the same target origin. If we used an additional output 
parameter to distinguish, among the positions of w, those that have source origin 
in the first position of v and those that have source origin in the last position of 
v, we would get a 1-bounded, regular resynchronizer. 


We state below two crucial properties of regular resynchronizers (the second 
lemma is reminiscent of Lemma 11 from [21], which proves closure of bounded 
resynchronizers with vacuous next, relations). 


Lemma 1. Every bounded, regular resynchronizer is effectively equivalent to 
some 1-bounded, regular resynchronizer. 


Lemma 2. The class of bounded, regular resynchronizers is effectively closed 
under composition. 


3.2 Main result 


Given a two-way transducer T one can ask if it is origin-equivalent to some 
one-way transducer. It was observed in [4] that this property holds if and only 
if all synchronized pairs defined by T are order-preserving, namely, for all o = 
(u,v, orig) € [T], and all y, y’ E dom(v), with y < y’, we have orig(y) < orig(y’). 
The decidability of the above question should be contrasted to the analogous 
question in the classical semantics: “is a given two-way transducer classically 
equivalent to some one-way transducer?” The latter problem turns out to be 
decidable for functional transducers [14,3], but is undecidable for arbitrary two- 
way transducers [2]. 
Here we are interested in a different, more relaxed notion: 
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Definition 1. A transducer T is called one-way resynchronizable if there exists 
a bounded, regular resynchronizer R that is T-preserving and such that R(T) is 
order-preserving. 


Note that if T’ is an order-preserving transducer, then one can construct 
rather easily a one-way transducer T” such that T” =, T”, by eliminating non- 
productive U-turns from accepting runs. 

Moreover, note that without the condition of being T-preserving every trans- 
ducer T would be one-way resynchronizable, using the empty resynchronization. 


Example 2. Consider the transducer T; that moves the last letter of the input wa 
to the front by a first left-to-right pass that outputs the last letter a, followed by a 
right-to-left pass without output, and finally by a left-to-right pass that produces 
the remaining w. Let R be the bounded regular resynchronizer that redirects the 
origin of the last a to the first position. Assuming an output parameter O with 
an interpretation constrained by opar that marks the last position of the output, 
the formula moveça 1) (y, z) says that target origin z (source origin y, resp.) of 
the last a is the first (last, resp.) position of the input. It is easy to see that 
R(Tı) is origin-equivalent to the one-way transducer that on input wa, guesses 
a and outputs aw. Thus, Tı is one-way resynchronizable. See also Figure 1. 


Example 3. Consider the transducer T> that reads inputs of the form u#v and 
outputs vu in the obvious way, by a first left-to-right pass that outputs v, followed 
by a right-to-left pass, and a finally a left-to-right pass that outputs u. Using 
the characterization with the notion of cross-width that we introduce below, it 
can be shown that T is not one-way resynchronizable. 


In order to give a flavor of our results, we anticipate here the two main theo- 
rems, before introducing the key technical concepts of cross-width and inversion 
(these will be defined further below). 


Theorem 1. For every bounded-visit transducer T, the following are equivalent: 


(1) T is one-way resynchronizable, 

(2) the cross-width of T is finite, 

(3) no successful run of T has inversions, 

(4) there is a partially bijective, regular resynchronizer R that is T-preserving 
and such that R(T) is order-preserving. 


Moreover, condition (3) is decidable. 


We will use Theorem 1 to show that one-way resynchronizability is decidable 
for arbitrary two-way transducers (not just bounded-visit ones). 


Theorem 2. It is decidable whether a given two-way transducer T is one-way 
resynchronizable. 


Let us now introduce the first key concept, that of cross-width: 
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Definition 2 (cross-width). Let o= as 
(u,v, orig) be a synchronized pair eros width 
and let Xı, X2 C dom(v) be sets of input 


output positions such that, for all a 
zı E€ Xı and rq E€ Xə, £1 < T2 and 
; ; : we 

orig(a1) > orig(a2). We call such a pair 

(Xı, X2) a cross and define its width as °"P"" 
min(|orig(X1)|, |orig(X2)|), where orig(X) = {orig(x) | x € X} is the set of 
origins corresponding to a set X of output positions. The cross-width of a syn- 
chronized pair o is the maximal width of the crosses in o. A transducer has 


bounded cross-width if for some integer k, all synchronized pairs associated with 
successful runs of T have cross-width at most k. 


For instance, the transducer Tə in Example 3 has unbounded cross-width. In 
contrast, the transducer T} in Example 2 has cross-width one. 

The other key notion of inversion will be introduced formally in the next 
section (page 135), as it requires a few technical definitions. The notion however 
is very similar in spirit to that of cross, with the difference that a single inversion 
is sufficient for witnessing a family of crosses with arbitrarily large cross-width. 


4 Proof overview for Theorem 1 


This section provides an overview of the proof of Theorem 1, and introduces the 
main ingredients. 

We will use flows (a concept inspired from crossing sequences [22,3] and 
revised in Section 4.1) in order to derive the key notion of inversion. Roughly 
speaking, an inversion in a run involves two loops that produce outputs in an 
order that is reversed compared to the order on origins. Inversions were also used 
in the characterization of one-way definability of two-way transducers under the 
classical semantics [3]. There, they were used for deriving some combinatorial 
properties of outputs. Here we are only interested in detecting inversions, and 
this is a simple task. 

Flows will also be used to associate factorization trees with runs (the exis- 
tence of factorization trees of bounded height was established by the celebrated 
Simon’s factorization theorem [23]). We will use a structural induction on these 
factorization trees and the assumption that there is no inversion in every run to 
construct a regular resynchronization witnessing one-way resynchronizability of 
the transducer at hand. 

Another important ingredient underlying the main characterization is given 
by the notion of dominant output interval (Section 4.2), which is used to for- 
malize the invariant of our inductive construction. 


4.1 Flows and inversions 


Intervals. An interval of a word is a set of consecutive positions in it. An interval 
is often denoted by I = fi, i’), with i = min(/) and i’ = max(J) + 1. Given two 
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intervals I = [i, i’) and J = [j, 7’), we write I < J if i’ < j, and we say that I, J 
are adjacent if 7’ = j. The union of two adjacent intervals I = [i,i’), J = [j, j"), 
denoted I-J, is the interval |i, j’) (if I, J are not adjacent, then J-J is undefined). 


Subruns. Given a run p of a transducer, a subrun is a factor of p. Note that a 
subrun of a two-way transducer may visit a position of the input several times. 
For an input interval J = [i, j) and a run p, we say that a subrun p’ of p spans 
over I if i (resp. j) is the smallest (resp. greatest) input position labeling some 
transition of p’. The left hand-side of the figure at page 134 gives an example of 
an interval J of an input word together with the subruns aj, a2, a3, 71, B2, 83, Y1 
that span over it. Subruns spanning over an interval can be left-to-right, left-to- 
left, right-to-left, or right-to-right depending on where the starting and ending 
positions are w.r.t. the endpoints of the interval. 


Flows. Flows are used to summarize subruns of a two-way transducer that span 
over a given interval. The definition below is essentially taken from [3], except for 
replacing “functional” by “K-visit”. Formally, a flow of a transducer T is a graph 
with vertices divided into two groups, L-vertices and R-vertices, labeled by states 
of T, and with directed edges also divided into two groups, productive and non- 
productive edges. The graph satisfies the following requirements. Edge sources 
are either an L-vertex labeled by a right-reading state, or an R-vertex labeled by 
a left-reading state, and symmetrically for edge destinations; moreover, edges are 
of one of the following types: LL, LR, RL, RR. Second, each node is the endpoint 
of exactly one edge. Finally, L (R, resp.) vertices are totally ordered, in such 
a way that for every LL (RR, resp.) edge (v,v’), we have v < v’. We will only 
consider flows of K-visiting transducers, so flows with at most 2K vertices. For 
example, the flow in the left-hand side of the figure at page 134 has six L-vertices 
on the left, and six R-vertices on the right. The edges a1, a2, a3 are LL, LR, and 
RR, respectively. 

Given a run p of T and an interval J = [i,7’) on the input, the flow of p on 
I, denoted flow (I), is obtained by identifying every configuration at position 7 
(resp. 7’) with an L (resp. R) vertex, labeled by the state of the configuration, and 
every subrun spanning over J with an edge connecting the appropriate vertices 
(this subrun is called the witnessing subrun of the edge of the flow). An edge is 
said to be productive if its witnessing subrun produces non-empty output. 


Flow monoid. The composition of two flows F and G is defined when the R- 
vertices of F induce the same sequence of labels as the L-vertices of G. In this 
case, the composition results in the flow F’-G that has as vertices the L-vertices of 
F and the R-vertices of G, and for edges the directed paths in the graph obtained 
by glueing the R-vertices of F with the L-vertices of G so that states are matched. 
Productiveness of edges is inherited by paths, implying that an edge of F - G 
is productive if and only if the corresponding path contains at least one edge 
(from F or G) that is productive. When the composition is undefined, we simply 
write F- G = L. The above definitions naturally give rise to a flow monoid 
associated with the transducer T, where elements are the flows of T, extended 
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with a dummy element L, and the product operation is given by the composition 
of flows, with the convention that L is absorbing. It is easy to verify that for 
any two adjacent intervals J < J of a run p, flow,(1) - flow,(J) = flow,(I- J). 
We denote by Mr the flow monoid of a K-visiting transducer T. 


Let us estimate the size of Mr. If Q is the set of states of T, there are at most 
|Q|?* possible sequences of L and R-vertices; and the number of edges (marked 
as productive or not) is bounded by (7°). (2K)K -2K < (2K +1)?*. Including the 
dummy element | in the flow monoid, we get |Mr| < (|Q|-(2K+1))?* +1 =: M. 


Loops. A loop of a run p over input w is an interval I = [i, j) with a flow F = 
fiou (I) such that F. F = g , 


F (call F idempotent). The 0 E7) 27 

-a59 1 eo Bs í 1 

run p can be pumped on a 4 Jø | Fie Op, i 

loop I = fi, j) as expected: ms 5 o, Uy ee) iY, 
given n > 0, we let pump? (p) ! hN -- | ; Br AAGA GET 
be the run obtained from p ' s S | f fi Ca 
by glueing the subruns that Yo Lge 


span over the intervals [1,2) -»2e—~—+00--' | 
and [j, |w| +1) with n copies ‘--1 ] ' Why 


i f 
i , 
O1<- f ' o——o- - -’ 
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i 

i 

i 

i 

i 

i 

i 


, se an) Nee, 9a 
of the subruns spanning over ~°° CLR 
I (see figure to the right). — — eee 


The lemma below shows that the occurrence order relative to subruns wit- 
nessing LR or RL edges of a loop (called straight edges, for short) is preserved 
when pumping the loop. This seemingly straightforward lemma is needed for 
detecting inversions and its proof is surprisingly non-trivial. For example, the 
external edge connecting the two L-vertices 1, 2 in the figure above appears before 
edge a2, and also before every copy of œz in the run where loop J is pumped. 


Lemma 3. Let p be arun of T onu, let J <I < K be a partition of the domain 
of u into intervals, with I loop of p, and let F = flow,(J), E = flow,(I), and 
G = flow,(K) be the corresponding flows. Consider an arbitrary edge f of either 
F or G, and a straight edge e of the idempotent flow E. Let py and pe be the 
witnessing subruns of f and e, respectively. Then the occurrence order of pf and 
Pe in p is the same as the occurrence order of pf and any copy of pe in pump} (p). 


We can now recall the key notion of inversion: 
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Definition 3 (inversion). An inversion of p is a tuple (I,e,I',e’) such that 


— I,I' are loops of p andI <T, 


| pened yyy fs 
—e,e are productive straight WHA Seer Wr 


edges in flow,(I) and flow, (I’) aii ancien * 
respectively, = / i i 
— the subrun witnessing e pre- un Yee LLL iL: . 
cedes the subrun witnessing e in i i Ll? 
the run order UUNO 
== WM K- annaa SGL LAG E Lo- -t 
(see the figure to the right). aay a 


4.2 Dominant output intervals 


In this section we identify some particular intervals of the output that play an 
important role in the inductive construction of the resynchronizer for a one-way 
resynchronizable transducer. 

Given n € N, we say that a set B of output positions is n-large if |orig(B)| > 
n; otherwise, we say that B is n-small. Recall that here we work with a K- 
visiting transducer T, for some constant K, and that M = (|Q|-(2K +1))?* +1 
is an upper bound to the size of the flow monoid Mr. We will extensively use 
the derived constant C = M?* to distinguish between large and small sets of 
output positions. The intuition behind this constant is that any set of output 
positions that is C-large must traverse a loop of p. This is captured by the lemma 
below. The proof uses algebraic properties of the flow monoid Mr [20] (see also 
Theorem 7.2 in [3], which proves a similar result, but with a larger constant 
derived from Simon’s factorization theorem): 


Lemma 4. Let I be an input interval and B a set of output positions with 
origins inside I. If B is C-large, then there is a loop J C I of p such that 
flow ,(J) contains a productive straight edge witnessed by a subrun that intersects 
B (in particular, out(J) AB # 0). 


We need some more notations for outputs. Given an input interval J we 
denote by out,(I) the set of output positions whose origins belong to I (note 
that this might not be an output interval). An output block of I is a maximal 
interval contained in out, (I). 

The dominant output interval of I, denoted bigout,(I), is the smallest output 
interval that contains all C-large output blocks of J. In particular, bigout (J) 
either is empty or begins with the first C-large output block of J and ends with 
the last C-large outblock block of J. We will often omit the subscript p from the 
notations flow,(I), out,(Z), bigout,(I), etc., when no confusion arises. 

We now fix a successful run p of the K-visiting transducer T. The rest of 
the section presents some technical lemmas that will be used in the inductive 
constructions for the proof of the main theorem. In the lemmas below, we assume 
that all successful runs of T (in particular, p) avoid inversions. 
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Lemma 5. Let I, < In be two input intervals and Bı, B2 output blocks of Åh, 
Iz, respectively. If both Bı, Bz are C-large, then Bı < Bo. 


Proof (sketch). If the claim would not hold, then Lemma 4 would provide some 
loops Jı C h and J2 C Ig, together with some productive edges in them, 
witnessing an inversion. 


Lemma 6. Let I = I, - I2, B = bigout(1), and B; = bigout(I;) for i = 1,2. 
Then B \ (By U B2) is 4 C-small. 


Proof (sketch). By Lemma 5, By < Bz. Moreover, all C-large output blocks 
of I or Ig are also C-large output blocks of J, so B contains both Bı and Bə. 
Suppose, by way of contradiction, that B \ (B1 U B2) is 4k C-large. This means 
that there is a 2K C-large set S C B\(B1U B2) with origins entirely to the left of 
Iz, or entirely to the right of [,. Suppose, w.l.o.g., that the former case holds, and 
decompose § as a union of maximal output blocks Bi, B4,..., Bi, with origins 
either entirely inside J4, or entirely outside. Since S N Bı = 0, every block B; 
with origins inside I, is C-small. Similarly, one can prove that every block B; 
with origins outside J, is C-small too. Moreover, since p is K-visiting, we get 
n < 2K. Altogether, this contradicts the assumption that S is 2K C-large. 


Lemma 7. Let I = I, - Ig:-+-In, such that I is a loop and flow(I) = flow (Ig) 
for all k. Then bigout(I) can be decomposed as By: Jı- B2- Jn+...+In—1-+ Bn; 
where 


1. foralll <k <n, By = bigout(I,) (with By possibly empty); 
2. foralll<k <n, the positions in Jg have origins inside Ip U Ip41 and Jp is 
2K C-small. 


Proof (sketch). The proof idea is similar to the previous lemma. First, using 
properties of idempotent flows, one shows that all output positions strictly be- 
tween Bk and Bk+1, for any k = 1,...,n—1, have origin in Ik Ul,4 1. Then, one 
observes that every output block of J, disjoint from B, is C-small, and since 
T is K-visiting there are at most K such 
blocks. This shows that every output inter- | ; Yy viii a 
val Jy between By and By41 is 2K C-small. | ; Ci -* 
For an illustration see the figure to the right. 
The C-large blocks in J; are shown in red; 


in blue those for Jz, in purple those for Js. | Uys 
So bigout(I1) is the entire output between ‘ani 
the two red dots, bigout(Iz) between the two co i 
blue dots, and bigout(I3) between the pur- ,----———>< 


ple dots. All three blocks are non-empty, and KD ' 
bigout(I : Iz - Iz) goes from the first red to >35 | 
the second purple dot. Black non-dashed ar- 
rows stand for C-small blocks. 


One-way Resynchronizability of Word Transducers 137 


5 Proof of Theorem 1 


This section is devoted to proving the characterization of one-way resynchro- 
nizability in the bounded-visit case. We will use the notion of bounded-traversal 
from [21], that was shown to characterize the class of bounded regular resynchro- 
nizers, in as much as bounded-delay characterizes rational resynchronizers [15]. 


Definition 4 (traversal [21]). Let o = (u,v, orig) and o’ = (u,v, orig’) be 
two synchronized pairs with the same input and output words. 

Given two input positions y,y’ € dom(u), we say that y traverses y’ if there is 
a pair (y,z) of source and target origins associated with the same output position 
such that y' is between y and z, with y! 4 z and possibly y' = y. More precisely: 


— (y,y’) is a left-to-right traversal if y < y’ and for some output position x, 

orig(x) = y and z = orig'(x) > y'; 

— (y,y’) is a right-to-left traversal if y > y' and for some output position x, 
orig(x) = y and z = orig'(x) < y'. 


A pair (a,0’) of synchronized pairs with input u and output v is said to have 
k-bounded traversal, with k € N, if every y’ € dom(u) is traversed by at most k 
distinct positions of dom(u). 

A resynchronizer R has bounded traversal if there is some k € N such that 
every (o,o) E R has k-bounded traversal. 


Lemma 8 ([21]). A regular resynchronizer is bounded if and only if it has 
bounded traversal. 


Proof (of Theorem 1). First of all, observe that the implication 4 — 1 is straight- 
forward. To prove the implication 1 — 2, assume that there is a k-bounded, 
regular resynchronizer R that is T-preserving and such that R(T) is order- 
preserving. Lemma 8 implies that R has t-bounded traversal, for some constant 
t. We head towards proving that T has cross-width bounded by t + k. Consider 
two synchronized pairs ø = (u,v, orig) and o’ = (u,v, orig’) such that o € [T], 
and (0,0’) E€ R, and consider a cross (X1, X2) of o. We claim that |orig(X,)| 
or |orig(X2)| is at most t + k. Let xı = min(orig(X1)), x4 = max(orig’(X1)), 
zə = max(orig(X,)), and 2, = min(orig'(X2)). Since (X1, X2) is a cross, we 
have xı > 2, and since g’ is order-preserving, we have 2 < 2. Now, if 
x, > x2, then at least |orig(X2)| — k input positions from Xə traverse xj to 
the right (the —k term is due to the fact that at most k input positions can be 
resynchronized to x). Symmetrically, if a < x2, then at least |orig(X1)| — k 
input positions from X4 traverse x2 to the left (the —k term accounts for the 
case where some positions are resynchronized to x, and x, = x2). This implies 
min(|orig(X1)|, |orig(X2)|) < t + k, as claimed. 

The remaining implications rely on the assumption that T is bounded-visit. 

The implication 2 > 3 is shown by contraposition: one considers a successful 
run p with an inversion, and shows that crosses of arbitrary width emerge after 
pumping the loops of the inversion (here Lemma 3 is crucial). 
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The proof of 3 — 4 is more involved, we only sketch it here. Assuming 
that no successful run of T has inversions we build a partially bijective, regular 
resynchronizer R that is T-preserving and R(T) is order-preserving. The resyn- 
chronizer R uses some parameters to guess a successful run p of T on u and a 
factorization tree of bounded height for p. Formally, a factorization tree for a 
sequence a of monoid elements (e.g. the flows flow, ([y, y]) for all input positions 
y) is an ordered, unranked tree whose yield is the sequence a. The leaves of 
the factorization tree are labeled with the elements of a. All other nodes have 
at least two children and are labeled by the monoid product of the child labels 
(in our case by the flows of p induced by the covered factors in the input). In 
addition, if a node has more than two children, then all its children must have 
the same label, representing an idempotent element of the monoid. By Simon’s 
factorization theorem [23], every sequence of monoid elements has some factor- 
ization tree of height at most linear in the size of the monoid (in our case, at 
most 3|Mr|, see e.g. [8]). 

Parameters. We use input parameters to encode the successful run p and a 
factorization tree for p of height at most H = 3|Mr|. These parameters specify, 
for each input interval corresponding to a subtree, the start and end positions of 
the interval and the label of the root of the subtree. Correctness of these anno- 
tations can be enforced by an MSO sentence ipar. The run and the factorization 
tree also need to be encoded over the output, using output parameters. More 
precisely, given a level in the tree and an output position, we need to be able to 
determine the flow and the productive edge that generated that position. We 
omit the technical details for checking correctness of the output annotation using 
the formulas opar, move, and next, 7’. 

Moving origins. For each level £ of the factorization tree, a partial resyn- 
chronization relation Re is defined. The relation is partial in the sense that some 
output positions may not have a source-target origin pair defined at a given level. 
But once a source-target pair is defined for some output position at a given level, 
it remains defined for all higher levels. 

In the following we write bigout(p) for the dominant output interval associ- 
ated with the input interval I(p) corresponding to a node p in the tree. For every 
level @ of the factorization tree, the resynchronizer Rọ will be a partial function 
from source origins to target origins, and will satisfy the following: 


— the set of output positions for which Rọ defines target origins is the union 
of the intervals bigout(p) for all nodes p at level £; 

— R only moves origins within the same interval at level £, that is, Rọ defines 
only pairs (y, z) of source-target origins such that y,z € I(p) for some node 
p at level £; 

— the target origins defined by Re are order-preserving within every interval 
at level £, that is, for all output positions x < x’, if Re defines the target 
origins of x, x’ to be z, 2’, respectively, and if z, z’ € I(p) for some node p at 
level £, then z < 2’; 

— Rae is L- 4k C-bounded, namely, there are at most £- 4KC distinct source 
origins that are moved by Ry to the same target origin. 
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The construction of Re is by induction on Z. For a binary node p at level 
£ with children p,,p2, the resynchronizer Re inherits the source-origin pairs 
from level ¢— 1 for output positions that belong to bigout(p1) U bigout(p2). 
Note that bigout(p1) < bigout(p2) by Lemma 5, so Re is order-preserving in- 
side bigout(p) U bigout(p2). Output positions inside bigout(p) \ (bigout (pi) U 
bigout(p2)) are moved in an order-preserving manner to one of the extremities 
of I(p), or to the last position of I(p,). Boundedness of Ry is guaranteed by 
Lemma 6. 

The case where p is an idempotent node at level @ with children p1, p2,..., Dn 
follows a similar approach. For brevity, let J; = I(p;) and B; = bigout(p;), 
and observe that, by Lemma 5, By < B2 < --- < Bn. Lemma 7 provides a 
decomposition of bigout(p) as B1- Jı- B2- J2... Jn—-1 Bn, for some 2K C-small 
output intervals J; with origins inside J, U Ip41, for k =1,...,n—1. As before, 
the resynchronizer Re behaves exactly as Re_; for the output positions inside 
the B;’s. For any other output position, say x € Jz, the resynchronizer Re will 
move the origin either to the last position of J; or to the first position of I,+1, 
depending on whether the source origin of x belongs to I, or Ip41. 


6 Proof overview of Theorem 2 


The main obstacle towards dropping the bounded-visit restriction from Theo- 
rem 1, while maintaining the effectiveness of the characterization, is the lack of a 
bound on the number of flows. Indeed, for a transducer T that is not necessarily 
bounded-visit, there is no bound on the number of flows that encode successful 
runs of T, and thus the proofs of the implications 2 + 3 — 4 are not applicable 
anymore. However, the proofs of the implications 1 — 2 and 4 > 1 remain valid, 
even for a transducer T that is not bounded-visit. 

The idea for proving Theorem 2 is to transform T into an equivalent bounded- 
visit transducer low(T), so that the property of one-way resynchronizability is 
preserved. More precisely, given a two-way transducer T, we construct: 


1. a bounded-visit transducer low(T) that is classically equivalent to T, 
2. a 1-bounded, regular resynchronizer R that is T-preserving and such that 
R(T) => low(T). 


We can apply our characterization of one-way resynchronizability in the 
bounded-visit case to the transducer low(T). If low(T) is one-way resynchroniz- 
able, then by Theorem 1 we obtain another partially bijective, regular resynchro- 
nizer R’ that is low(T)-preserving and such that R’(low(T))) is order-preserving. 
Thanks to Lemma 2, the resynchronizers R and R’ can be composed, so we con- 
clude that the original transducer T is one-way resynchronizable. Otherwise, 
if low(T) is not one-way resynchronizable, we show that neither is T. This is 
precisely shown in the lemma below. 


Lemma 9. For all transducers T,T’, with T’ bounded-visit, and for every par- 
tially bijective, regular resynchronizer R that is T-preserving and such that 


140 S. Bose et al. 


R(T) =, T’, T is one-way resynchronizable if and only if T’ is one-way resyn- 
chronizable. 


There are however some challenges in the approach described above. First, as 
T may output arbitrarily many symbols with origin in the same input position, 
and low(T) is bounded-visit, we need low(T) to be able to produce arbitrarily 
long outputs within a single transition. For this reason, we allow low(T) to be 
a transducer with regular outputs. The transition relation of such a transducer 
consists of finitely many tuples of the form (q,a, L,q'), with q, E€ Q, a E€ X, 
and L C I™* a regular language over the output alphabet. The semantics of a 
transition rule (q,a, L, q’) is that, upon reading a, the transducer can switch from 
state q to state q’, and move its head accordingly, while outputting any word 
from L. We also need to use transducers with common guess. Both extensions, 
regular outputs and common guess, already appeared in prior works (cf. [5,7]), 
and the proof of Theorem 1 in the bounded-visit case can be easily adapted to 
these features. 

There is still another problem: we cannot always expect that there exists a 
bounded-visit transducer low(T) classically equivalent to T. Consider, for in- 
stance, the transducer that performs several passes on the input, and on each 
left-to-right pass, at an arbitrary input position, it copies as output the letter 
under its head. It is easy to see that the Parikh image of the output is an exact 
multiple of the Parikh image of the input, and standard pumping arguments 
show that no bounded-visit transducer can realize such a relation. 

A solution to this second problem is as follows. Before trying to construct 
low(T), we test whether T satisfies the following condition on vertical loops 
(these are runs starting and ending at the same position and at the same state). 
There should exist some K such that T is K-sparse, meaning that the number of 
different origins of outputs generated inside some vertical loop is at most K. If 
this condition is not met, then we show that T has unbounded cross-width, and 
hence, by the implication 1 — 2 of Theorem 1, T is not one-way resynchronizable. 
Otherwise, if the condition holds, then we show that a bounded-visit transducer 
low(T) equivalent to T can indeed be constructed. 


7 Complexity 


We discuss the effectiveness and complexity of our characterization. For a k- 
visit transducer T, the effectiveness of the characterization relies on detecting 
inversions in successful runs of T. It is not difficult to see that this can be decided 
in space that is polynomial in the size of T and the bound k. We can also show 
that one-way resynchronizability is PSPACE-hard. For this we recall that the 
emptiness problem for two-way finite automata is PSPACE-complete. Let A be a 
two-way automaton accepting some language L, and let X be a binary alphabet 
disjoint from that of L. The function {(w-a1...@n,@n-..a1) | w E L, a...an E 
&*,n > 0} can be realized by a two-way transducer T of size polynomial in |A], 
and T is one-way resynchronizable if and only if L is empty. 
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In the unrestricted case, we showed that one-way resynchronizability is decid- 
able (Theorem 2). We briefly outline the complexity of the decision procedure: 


1. First one checks that T is K-sparse for some K. To do this, we construct 
from T the regular language L of all inputs with some positions marked 
that correspond to origins produced within the same vertical loop. Bounded 
sparsity is equivalent to having a uniform bound on the number of marked 
positions in every input from L. Standard techniques for two-way automata 
allow to decide this in space that is polynomial in the size of T. Moreover, 
this also gives us a computable exponential bound to the largest constant K 
for which T can be K-sparse. 

2. Next, we construct from the K-sparse transducer T a bounded-visit trans- 
ducer T’ that is classically equivalent to T and has exponential size. 

3. Finally, we decide one-way resynchronizability of T” by detecting inversions 
in successful runs of T’ (Theorem 1). 


Summing up, one can decide one-way resynchronizability of unrestricted two- 
way transducers in exponential space. It is open if this bound is optimal. We 
also do not have any interesting bound on the size of the resynchronizer that 
witnesses one-way resynchronizability, both in the bounded-visit case and in the 
unrestricted case. Similarly, we lack upper and lower bounds on the size of the 
resynchronized one-way transducers, when these exist. 


8 Conclusions 


As the main contribution of this paper, we provided a characterization for the 
subclass of two-way transducers that are one-way resynchronizable, namely, that 
can be transformed by some bounded, regular resynchronizer, into an origin- 
equivalent one-way transducer. 

There are similar definability problems that emerge in the origin semantics. 
For instance, one could ask whether a given two-way transducer can be resyn- 
chronized, through some bounded, regular resynchronization, to a relation that is 
origin-equivalent to a first-order transduction. This can be seen as a relaxation of 
the first-order definability problem in the origin semantics, namely, the problem 
of telling whether a two-way transducer is origin-equivalent to some first-order 
transduction, shown decidable in [4]. It is worth contrasting the latter problem 
with the challenging open problem whether a given transduction is equivalent 
to a first-order transduction in the classical setting. 
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Abstract. Session types are widely used as abstractions of asynchronous 
message passing systems. Refinement for such abstractions is crucial as 
it allows improvements of a given component without compromising its 
compatibility with the rest of the system. In the context of session types, 
the most general notion of refinement is the asynchronous session subtyp- 
ing, which allows to anticipate message emissions but only under certain 
conditions. In particular, asynchronous session subtyping rules out can- 
didates subtypes that occur naturally in communication protocols where, 
e.g., two parties simultaneously send each other a finite but unspecified 
amount of messages before removing them from their respective buffers. 
To address this shortcoming, we study fair compliance over asynchronous 
session types and fair refinement as the relation that preserves it. This 
allows us to propose a novel variant of session subtyping that leverages 
the notion of controllability from service contract theory and that is a 
sound characterisation of fair refinement. In addition, we show that both 
fair refinement and our novel subtyping are undecidable. We also present 
a sound algorithm, and its implementation, which deals with examples 
that feature potentially unbounded buffering. 


Keywords: Session types - Asynchronous communication - Subtyping. 


1 Introduction 


The coordination of software components via message-passing techniques is be- 
coming increasingly popular in modern programming languages and development 
methodologies based on actors and microservices, e.g., Rust, Go, and the Twelve- 
Factor App methodology [1]. Often the communication between two concurrent 
or distributed components takes place over point-to-point FIFO channels. 
Abstract models such as communicating finite-state machines [5] and asyn- 
chronous session types [21] are essential to reason about the correctness of such 
systems in a rigorous way. In particular these models are important to rea- 
son about mathematically grounded techniques to improve concurrent and dis- 
tributed systems in a compositional way. The key question is whether a com- 
ponent can be refined independently of the others, without compromising the 
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correctness of the whole system. In the theory of session types, the most general 
notion of refinement is the asynchronous session subtyping [14, 15, 26], which 
leverages asynchrony by allowing the refined component to anticipate message 
emissions, but only under certain conditions. Notably asynchronous session sub- 
typing rules out candidate subtypes that occur naturally in communication pro- 
tocols where, e.g., two parties simultaneously send each other a finite but un- 
specified amount of messages before removing them from their buffers. 


We illustrate this key limitation of asynchronous session subtyping with Fig- 
ure 1, which depicts possible communication protocols between a spacecraft and 
a ground station. For convenience, the protocols are represented as session types 
(bottom) and equivalent communicating finite-state machines (top). Consider 
Ts and Tg first. Session type Tg is the abstraction of the spacecraft. It may 
send a finite but unspecified number of telemetries (tm), followed by a message 
over — this phase of the protocol typically models a for loop and its exit. In the 
second phase, the spacecraft receives a number of telecommands (tc), followed 
by a message done. Session type Tg is the abstraction of the ground station. It is 
the dual of Ts, written Ts, as required in standard binary session types without 
subtyping. Since Tg and Ts are dual of each other, the theory of session types 
guarantees that they form a correct composition, namely both parties terminate 
successfully, with empty queues. 


However, it is clear that this protocol is not efficient: the communication is 
half-duplex, i.e., it is never the case that more than one party is sending at any 
given time. Using full-duplex communication is crucial in distributed systems 
with intermittent connectivity, e.g., in this case ground stations are not always 
visible from low orbit satellites. 


The abstraction of a more efficient ground station is given by type T&, which 
sends telecommands before receiving telemetries. It is clear that TZ and Ts 
forms a correct composition. Unfortunately T4 is not an asynchronous subtype 
of Tg according to earlier definitions of session subtyping [14,15,26]. Hence they 
cannot formally guarantee that T4 is a safe replacement for Tg. Concretely, these 
subtyping relations allow for anticipation of emissions (output) only when they 
are preceded by a bounded number of receptions (input), but this does not hold 
between T6 and Tg because the latter starts with a loop of inputs. Note that 
the composition of TZ and Tg is not existentially bounded, hence it cannot be 
verified by related communicating finite-state machines techniques [4, 19,20, 24]. 


In this paper we address this limitation of previous asynchronous session 
subtyping relations. To do this, we move to an alternative notion of correct com- 
position. In [14] the authors show that their subtyping relation is fully abstract 
w.r.t. the notion of orphan-message-free composition. More precisely, it captures 
exactly a notion of refinement that preserves the possibility for all sent messages 
to be consumed along all possible computations of the receiver. In the spacecraft 
example, given the initial loop of outputs in TG, there is an extreme case in which 
it performs infinitely many outputs without consuming any incoming messages. 
Nevertheless, this limit case cannot occur under the natural assumption that 
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lte ?tm ?tm lte ltm ?te 
B saone 3 4 A !done a B ? done 
1 1 X 
mar 2) lover O lover O 
To Ta = Ts Ts 


TG = pt. @ {tc : t, done : ut’. &{tm : t’, over : end}} 
Ta = pt. &{tm : t, over : wt’. ® {tc : t’, done : end}} 
Ts = ut. 6 {tm : t, over: ut’. &{tc : t’, done : end}} 


Fig. 1. Satellite protocols. TG is the refined session type of the ground station, Tc is 
the session type of ground station, and Ts is the session type of the spacecraft. 


the loop of outputs eventually terminates, i.e., only a finite (but unspecified) 
amount of messages can be emitted. 


The notion of correct composition that we use is based on fair compliance, 
which requires each component to always be able to eventually reach a success- 
ful final state. This is a liveness property, holding under full fairness [32], used 
also in the theory of should testing [30] where “every reachable state is required 
to be on a path to success”. This is a natural constraint since even programs 
that conceptually run indefinitely must account for graceful termination (e.g., to 
release acquired resources). Previously, fair compliance has been considered to 
reason formally about component/service composition with synchronous session 
types [29] and synchronous behavioural contracts [11]. A preliminary formali- 
sation of fair compliance for asynchronous behavioural contracts was presented 
in [10], but considering an operational model very different from session types. 


Given a notion of fair compliance defined on an operational model for asyn- 
chronous session types, we define fair refinement as the relation that preserves it. 
Then, we propose a novel variant of session subtyping called fair asynchronous 
session subtyping, that leverages the notion of controllability from service con- 
tract theory, and which is a sound characterisation of fair refinement. We show 
that both fair refinement and fair asynchronous session subtyping are undecid- 
able, but give a sound algorithm for the latter. Our algorithm covers session 
types that exhibit complex behaviours (including the spacecraft example and 
variants). Our algorithm has been implemented in a tool available online [31]. 


Structure of the paper The rest of this paper is structured as follows. In § 2 
we recall syntax and semantics of asynchronous session types, we define fair 
compliance and the corresponding fair refinement. In § 3 we introduce fair asyn- 
chronous subtyping, the first relation of its kind to deal with examples such as 
those in Figure 1. In § 4 we propose a sound algorithm for subtyping that sup- 
ports examples with unbounded accumulations, including the ones discussed in 
this paper. In § 5 we discuss the implementation of this algorithm. Finally, in 
§ 6 we discuss related works and future work. We give proofs for all our results 
and examples of output from our tool in [9]. 
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2 Refinement for Asynchronous Session Types 


In this section we first recall the syntax of two-party session types, their reduction 
semantics, and a notion of compliance centred on the successful termination of 
interactions. We define our notion of refinement based on this compliance and 
show that it is generally undecidable whether a type is a refinement of another. 


2.1 Preliminaries: Asynchronous Session Types 


Syntaz The formal syntax of two-party session types is given below. We follow 
the simplified notation used in, e.g., [7,8], without dedicated constructs for send- 
ing an output/receiving an input. Additionally we abstract away from message 
payloads since they are orthogonal to the results of this paper. 


Definition 1 (Session Types). Given a set of labels L, ranged over by l, the 
syntax of two-party session types is given by the following grammar: 


T f= {li : Tihier | &{l; : Ti hier | pt.T | t | end 


Output selection @{l; : T;}ier represents a guarded internal choice, specify- 
ing that a label l; is sent over a channel, then continuation T; is executed. Input 
branching &{l; : T;};e7 represents a guarded external choice, specifying a proto- 
col that waits for messages. If message l; is received, continuation T; takes place. 
In selections and branchings each branch is tagged by a label /;, taken from a 
global set of labels £. In each selection/branching, these labels are assumed to 
be pairwise distinct. In the sequel, we leave implicit the index set i € J in input 
branchings and output selections when it is clear from the context. Types yt.T 
and t denote standard recursion constructs. We assume recursion to be guarded 
in session types, i.e., in ut.T, the recursion variable t occurs within the scope 
of a selection or branching. Session types are closed, i.e., all recursion variables 
t occur under the scope of a corresponding binder pt.T. Terms of the session 
syntax that are not closed are dubbed (session) terms. Type end denotes the 
end of the interactions. 

The dual of session type T, written T, is inductively defined as follows: 
{l : Thier = &{li : Ti}ier, &{li : Tijer = {l : Ti}ier, end = end, t = t, 
and ut.T = pt.T. 


Operational characterisation Hereafter, we let w range over words in £*, write € 
for the empty word, and write w1-w2 for the concatenation of words w; and we, 
where each word may contain zero or more labels. Also, we write T{T’/t} for T 
where every free occurrence of t is replaced by T”. 

We give an asynchronous semantics of session types via transition systems 
whose states are configurations of the form: [T),w ]|[T2,w2] where T} and T> 
are session types equipped with two sequences w and we of incoming messages 
(representing unbounded buffers). We use s, s’, etc. to range over configurations. 

In this paper, we use explicit unfoldings of session types, as defined below. 
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Definition 2 (Unfolding). Given session type T, we define unfold(T): 


unfold(T) = ie fT pT 


otherwise 


Definition 2 is standard, e.g., an equivalent function is used in the first session 
subtyping [18]. Notice that unfold(Z’) unfolds all the recursive definitions in front 
of T, and it is well defined for session types with guarded recursion. 


Definition 3 (Transition Relation). The transition relation + over configu- 
rations is the minimal relation satisfying the rules below (plus symmetric ones): 


1. ifj € I then [@{l; : Ti jier, w1]|[T2, w2] > [T;, w1]|[Zo, wo-l,]; 
2. if j € I then [&{1; H Ti jier, lj w1]|[T2, w2] => [T}, wi]|[Lb, we]; 
J: if [unfold (T1), w1 || [T2, w2] — s then (Ty, w1]||T2, wo] => Ss. 


We write —* for the reflexive and transitive closure of the + relation. 


type outputs a message lj, which is added at the end of its partner’s queue; (2 
a type consumes an expected message l; from the head of its queue; or (3) the 
unfolding of a type can execute one of the transitions above. 

Next, we define successful configurations as those configurations where both 
types have terminated (reaching end) and both queues are empty. We use this 
to give our definition of compliance which holds when it is possible to reach a 
successful configuration from all reachable configurations. 


Intuitively a configuration s reduces to configuration s’ when either (1) a 
t 


Definition 4 (Successful Configuration). The notion of successful configu- 
ration is formalised by a predicate s,/ defined as follows: 


[T,wr]|[S,ws]/ iff unfold(T)=unfold(S)=end and wr=ws=e 


Definition 5 (Compliance). Given a configuration s we say that it is a cor- 
rect composition if, whenever s —* s', there exists a configuration s” such that 
s >* 8" and s"V/. 

Two session types T and S are compliant if [T, €]|[S, €] is a correct composition. 


Observe that our definition of compliance is stronger than what is generally 
considered in the literature on session types, e.g., [16,23, 24], where two types 
are deemed compliant if all messages that are sent are eventually received, and 
each non-terminated type can always eventually make a move. Compliance is 
analogous to the notion of correct session in [29] but in an asynchronous setting. 

A consequence of Definition 5 is that it is generally not the case that a session 
type T is compliant with its dual T, as we show in the example below. 


Example 1. The session type T = &{l, : end, lə : ut. @ {l3 : t}} and its dual 
T = {l : end, lz : ut.&{lz : t}} are not compliant. Indeed, when T sends 
label l2, the configuration [end, ¢]|[end, e] is no longer reachable. 
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2.2 Fair Refinement for Asynchronous Session Types 


We introduce a notion of refinement that preserves compliance. This follows 
previous work done in the context of behavioural contracts [11] and synchronous 
multi-party session types [29]. The key difference with these works is that we are 
considering asynchronous communication based on (unbounded) FIFO queues. 
Asynchrony makes fair refinement undecidable, as we show below. 


Definition 6 (Refinement). A session type T refines S, written TE S, if for 
every S’ s.t. S and S' are compliant then T and S are also compliant. 


In contrast to traditional (synchronous and asynchronous) subtyping for ses- 
sion types [14, 18, 26], this refinement is not covariant on outputs, i.e., it does 
not always allow a refined type to have output selections with less labels.’ 


Example 2. Let T = pt. $ {4 : t} and S = pt. @ {h _: t, l2 : end}. We have 
that T is a synchronous (and asynchronous) subtype of S. However T is not a 
refinement of S. In particular, the type S = ut. &{l, : t, l2 : end} is compliant 
with S but not with T, since T does not terminate. 


Next, we show that the refinement relation E is generally undecidable. The 
proof of undecidability exploits results from the tradition of computability the- 
ory, i.e., Turing completeness of queue machines. The crux of the proof is to 
reduce the problem of checking the reachability of a given state in a queue ma- 
chine to the problem of checking the refinement between two session types. 


Preliminaries Below we consider only state reachability in queue machines, and 
not the typical notion of the language recognised by a queue machine (see, e.g., [7] 
for a formalisation of queue machines). Hence, we use a simplified formalisation, 
where no input string is considered. 


Definition 7 (Queue Machine). A queue machine M is defined by a six-tuple 
(Q, ©, I,$,8,6) where: 


— Q is a finite set of states; 

— CT is a finite set denoting the input alphabet; 

— T is a finite set denoting the queue alphabet (ranged over by A, B,C, X); 

— $E — X is the initial queue symbol; 

— s E€ Q is the start state; 

— ô: Q xT — Q xTI™* is the transition function (T* is the set of sequences of 
symbols in I’). 


Considering a queue machine M = (Q, X, T,$,s,ô), a configuration of M is 
an ordered pair (q, y) where q € Q is its current state and y € I* is the queue. 
The starting configuration is (s,$), composed of the start state s and the initial 
queue symbol $. 

Next, we define the transition relation (— ,), leading a configuration to 
another, and the related notion of state reachability. 


3 The synchronous subtyping in [18] follows a channel-oriented approach; hence it has 
the opposite direction and is contravariant on outputs. 
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Definition 8 (State Reachability). Given a machine M=(Q, X, T,$,s,ô), 
the transition relation >m over configurations Q x I* is defined as follows. 
For pq E€ Q, AET, anda,y € I*, we have (p, Aa) >m (q,ay) whenever 
d(p, A) = (q, 7). Let +4, be the reflexive and transitive closure of >m. 

A target state qf € Q is reachable in M if there is y € T* s.t. (s,$) hy (qf, 9). 


Since queue machines can deterministically encode Turing machines (see, 
e.g., [7]), checking state reachability for queue machines is undecidable. 


Theorem 1. Given a queue machine M and a target state qr it is possible to 
reduce the problem of checking the reachability of qf in M to the problem of 
checking refinement between two session types. 


In the light of the undecidability of reachability in queue machines, we can 
conclude that refinement (Definition 6) is also undecidable. 


2.3 Controllability for Asynchronous Session Types 


Given a notion of compliance, controllability amounts to checking the existence 
of a compliant partner (see, e.g., [12, 25,33]). In our setting, a session type is 
controllable if there exists another session type with which it is compliant. 
Checking for controllability algorithmically is not trivial as it requires to con- 
sider infinitely many potential partners. For the synchronous case, an algorithmic 
characterisation was studied in [29]. In the asynchronous case, the problem is 
even harder because each of the infinitely many potential partners may generate 
an infinite state computation (due to unbounded buffers). The main contribution 
of this subsection is to give an algorithmic characterisation of controllability in 
the asynchronous setting. Doing this is important because controllability is an 
essential ingredient for defining fair asynchronous subtyping, see Section 3. 


Definition 9 (Characterisation of Controllability, T ctrl). Given a session 
type T, we define the judgement T ok inductively as follows: 
ende T T{end/¢} ok T ok Vi € I. T;, 0k 
end ok ut.T ok &{l : T} ok {li : Ti bier ok 


where end € T holds if end occurs in T. 

We write T ctrl if there exists T’ such that (i) T’ is obtained from T by 
syntactically replacing every input prefix &{l; : Ti}ier occurring in T with a 
term &{l; : Tj} (with j € I) and (ii) T’ ok holds. 


Notice that a type T such that T ctrl is indeed controllable, in that T”, the 
dual of type T” considered above, is compliant with T (the predicate end€T in 
the premise of the rule for recursion guarantees that a successful configuration is 
always reachable while looping). Moreover the above definition naturally yields 
a simple algorithm that decides whether or not T ctrl holds for a type T, i.e., 
we first pick a single branch for each input prefix syntactically occurring in T 
(there are finitely many of them) and then we inductively check if T’ ok holds. 

The following theorem shows that the judgement T ctrl, as defined above, 
precisely characterises controllability (i.e., the existence of a compliant type). 
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Theorem 2. T ctrl holds if and only if there exists a session type S such that 
T and S are compliant. 


Example 3. Consider the session type T = pt. &{l, : &{l2 : @{l4 : end, Is : 
pt’. @ {Ile : t'}}, la : th}. Tctrl does not hold because it is not possible to 
construct a T” as specified in Definition 9 for which T” ok holds. By Theorem 2, 
there is no session type S that is compliant with T. Hence T is not controllable. 


3 Fair Asynchronous Session Subtyping 


In this section, we present our novel variant of asynchronous subtyping which 
we dub fair asynchronous subtyping. 

We need to define a distinctive notion of unfolding. Function selUnfold(T) 
unfolds type T by replacing recursion variables with their corresponding defi- 
nitions only if they are guarded by an output selection. In the definition, we 
use the predicate @g(t,7T) which holds if all instances of variable t are output 
selection guarded, i.e., t occurs free in T only inside subterms @{1; : Ti hier. 


Definition 10 (Selective Unfolding). Given a term T, define selUnfold(T) = 


@{li: Ti jier if T = {li : Tihier 

&{l; : selUnfold(T;) bier if T = &{li : Ti jicr 
T'{ut.T"/t} if T = ut.T', Dg(t,T') 
ut.selUnfold(selRepl(t, €, 7’) {#*-T'/é}) with t fresh if T = ut.T', = g(t, T") 
t ifT=t 

end if T = end 


where, selRepl(t,t, T’) is obtained from T' by replacing the free occurrences of t 
that are inside a subterm @{l;: Sicr of T’ by t. 


Example 4. Consider the type T = pt.&{l, : t, l2 : {lz : t}}, then we have 
selUnfold(T) = pt. &{l1 : t, lo: {l3 : ut. &{l, : t, l2 : {l3 : t}}h} 


i.e., the type is only unfolded within output selection sub-terms. Note that t is 
used to identify where unfolding must take place, e.g., 
selRepl(t, t, &{1; : t, Ip : {l3 : t}}) = &{ly : t, Ip : A{ls : tht. 


The last auxiliary notation required to define our notion of subtyping is that 
of input contexts, which are used to record inputs that may be delayed in a 
candidate super-type. 


Definition 11 (Input Context). An input context A is a session type with 
several holes defined by the syntax: 


A= [JF | &{i:Adier | ptA | t 
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where the holes []®, with k € K, of an input context A are assumed to be pairwise 
distinct. We assume that recursion is guarded, i.e., in an input contest pt.A, 
the recursion variable t must occur within a subterm &{l; : Ai bier. 

We write holes(A) for the set of hole indices in A. Given a type Tpk for each 
k€ K, we write A[T,|*<* for the type obtained by filling each hole k in A with 
the corresponding Tp. 


In contrast to previous work [6,7,13-15,26], these input contexts may contain 
recursive constructs. This is crucial to deal with examples such as Figure 1. 

We are now ready to define the fair asynchronous subtyping relation, written 
<. The rationale behind asynchronous session subtyping is that under asyn- 
chronous communication it is unobservable whether or not an output is antici- 
pated before an input, as long as this output is executed along all branches of 
the candidate super-type. Besides the usage of our new recursive input contexts 
the definition of fair asynchronous subtyping differs from those in [6,7, 13-15, 26] 
in that controllability plays a fundamental role: the subtype is not required to 
mimic supertype inputs leading to uncontrollable behaviours. 


Definition 12 (Fair Asynchronous Subtyping, <). 
A relation R on session types is a controllable subtyping relation whenever 


(T, S) E R implies: 


. if T = end then unfold(S) = end; 

. if T = ut.T' then (T'{T/t},S) € R; 

. if T = &{li : Tihier then unfold(S) = &{l; : Sj}jez, I D K, and Vk € 
K. (Tk, Sk) E R, where K = {k € J | Sp is controllable} ; 

4. if T = {li : Ti}ier then selUnfold(S) = A[@{l;: Skipicr| "€E and Vi € 

I. (T;, ASh] E ER. 

T is a controllable subtype of S if there is a controllable subtyping relation R s.t. 

(T,S) ER. 

T is a fair asynchronous subtype of S, written T < S, whenever: S controllable 

implies that T is a controllable subtype of S. 


te DOR 


Notice that the top-level check for controllability in the above definition is 
consistent with the inner controllability checks performed in Case (3). 


Subtyping simulation game Session type T is a fair asynchronous subtype of S 
if S is not controllable or if T is a controllable subtype of S. Intuitively, the 
above co-inductive definition says that it is possible to play a simulation game 
between a subtype T and its supertype S as follows. Case (1) says that if T is 
the end type, then S must also be end. Case (2) says that if T is a recursive 
definition, then it simply unfolds this definition while S does not need to reply. 
Case (3) says that if T is an input branching, then the sub-terms in S' that are 
controllable can reply by inputting at most some of the labels l; in the branching 
(contravariance of inputs), and the simulation game continues (see Example 5). 
Case (4) says that if T is an output selection, then S can reply by outputting all 
the labels l; in the selection, possibly after executing some inputs, after which the 
simulation game continues. We comment further on Case (4) with Example 6. 
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Example 5. Consider T = &{l, : end, lp : end} and S = &{l, : end, ls : 
ut.® {ly : t}}. We have T < S. Once branch l3, that is uncontrollable, is removed 
from S, we can apply contravariance for input branching. We have I = {1,2} 2 
{1} = K in Definition 12. 


Example 6. Consider Tg and TG from Figure 1. For the pair (7%, Ta), we apply 
Case (4) of Definition 12 for which we compute 


selUnfold(Tc¢) = A[@{tc : pt’. @ {tc : t’, done : end}, done : end}] 


with A = pt.&{tm : t, over : []'}. Observe that A contains a recursive sub-term, 
such contexts are not allowed in previous works [14, 15, 26]. 

The use of selective unfolding makes it possible to express Tg in terms of a 
recursive input context A with holes filled by types (i.e., closed terms) that start 
with an output prefix. Indeed selective unfolding does not unfold the recursion 
variable t (not guarded by an output selection), which becomes part of the input 
context A. Instead it unfolds the recursion variable t’ (which is guarded by an 
output selection) so that the term that fills the hole, which is required to start 
with an output prefix, is a closed term. 

Case (4) of Definition 12 requires us to check that the following pairs are 
in the relation: (i) (TG, A[ut’. © {tc : t’, done : end}]) and (ii) (ut’. &{tm : 
t’, over : end}, A[end]). Observe that Tg = Alyt’. ® {tc : t’, done : end}). 
Hence, we have TZ < Tg with 


R={(TG, Tc), (end,end), (ut’.&{tm: t’, over: end}, ut.&{tm: t, over: end})} 
and œR is a controllable subtyping relation. 


We show that fair asynchronous subtyping is sound w.r.t. fair refinement. In 
fact, fair asynchronous subtyping can be seen as a sound coinductive characteri- 
sation of fair refinement. Namely this result gives an operational justification to 
the syntactical definition of fair asynchronous session subtyping. Note that < is 
not complete w.r.t. C, see Example 7. 


Theorem 3. Given two session types T and S, if T<S then TCE S. 


Example 7. Let T = {lı : &{l3 : end}} and S = &{l; :@{l, : end, lz : end}}. 
We have T E S, but T is not a fair asynchronous subtype of S since {4} 4 
{l, l2}, i.e., covariance of outputs is not allowed. 


Unfortunately, fair asynchronous session subtyping is also undecidable. The 
proof is similar to the one of undecidability of fair refinement, in particular we 
proceed by reduction from the termination problem in queue machines. 


Theorem 4. Given two session types T and S, it is in general undecidable to 
check whether T < S. 
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4 A Sound Algorithm for Fair Asynchronous Subtyping 


We propose an algorithm which soundly verifies whether a session type is a 
fair asynchronous subtype of another. The algorithm relies on building a tree 
whose nodes are labelled by configurations of the simulation game induced by 
Definition 12. The algorithm analyses the tree to identify witness subtrees which 
contain input contexts that are growing following a recognisable pattern. 


Example 8. Recall the satellite communication example (Figure 1). The space- 
craft with protocol Ts may be a replacement for an older generation of spacecraft 
which follows the more complicated protocol T4, see Figure 2. Type T% notably 
allows the reception of telecommands to be interleaved with the emission of 
telemetries. The new spacecraft may safely replace the old one because Ts < T¢. 
However, checking Ts < T4 leads to an infinite accumulation of input con- 
texts, hence it requires to consider infinitely many pairs of session types. E.g., 
after Ts selects the output label tm twice, the subtyping simulation game con- 
siders the pair (Ts, T4), where also TY is in Figure 2. The pairs generated for 
this example illustrate a common recognisable pattern where some branches 
grow infinitely (the tc-branch), while others stay stable throughout the deriva- 
tion (the done-branch). The crux of our algorithm is to use a finite parametric 
characterisation of the infinitely many pairs occurring in the check of Ts < T4. 


The simulation tree for T < S, written simtree(T, S), is the labelled tree rep- 
resenting the simulation game for T < S, i.e., simtree(T, S) is a tuple (N, no, > 
,A) where N is its set of nodes, no € N is its root, — is its transition function, 
and à is its labelling function, such that A(no) = (S, T). We omit the formal def- 
inition of —, as it is straightforward from Definition 12 following the subtyping 
simulation game discussed after that definition. We give an example below. 

Notice that the simulation tree simtree(T,S) is defined only when S' is con- 
trollable, since T < S holds without needing to play the subtyping simulation 
game if S is not controllable. We say that a branch of simtree(T,S) is successful 
if it is infinite or if it finishes in a leaf labelled by (end, end). All other branches 
are unsuccessful. Under the assumption that S' is controllable, we have that all 
branches of simtree(T,S) are successful if and only if T < S. As a consequence 
checking whether all branches of simtree(T, S) are successful is generally unde- 
cidable. It is possible to identify a branch as successful if it visits finitely many 
pairs (or node labels), see Example 6; but in general a branch may generate 
infinitely many pairs, see Examples 8 and 12. 

In order to support types that generate unbounded accumulation, we charac- 
terise finite subtrees — called witness subtrees, see Definition 13 — such that all 
the branches that traverse these finite subtrees are guaranteed to be successful. 


Notation We give a few auxiliary definitions and notations. Hereafter A and A’ 
range over extended input contexts, i.e., input contexts that may contain distinct 
holes with the same index. These are needed to deal with unfoldings of input 
contexts, see Example 9. 
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Tie ltm 


?te 
lover ? done lover 
Oren O OR O OEO 
Tg = ut &{ te: {tm :t, over: ut’. &{te : t', done : end}}, 
done : ut”. ® {tm : t”, over : end}} 
Tg = &{ te: &{tc: Tå, 
done : ut”. @ {tm : t”, over : end} }, 
done: ut”. ® {tm : t”, over : end} 


Fig. 2. T% is an alternative session type for Ts, see Example 8. 


The set of reductions of an input context A is the minimal set S s.t. (i) A € S; 
(ii) if & {lj F Aifier € S then Vi € I.A; € S and (iii) if ut. A E€ S then 
A’{rt-A'/t} © S. Notice that due to unfolding (item (iii)), the reductions of an 
input context may contain extended input contexts. Moreover, given a reduction 
A’ of A, we have that holes(.A’) C holes(A). 


Example 9. Consider the following extended input contexts: 
Ay = pt. &{h : []", lo: &{l3:t}} A= &f{lg : ut. &{l, : []*, lo: &{ls : t}}} 
unfold( A1) = &{l : []}, lo: &{lg : ut. &{l, : []*, lo: &{ls : t}}}} 


Context A> is a reduction of Aj, i.e., one can reach A from A1, by unfolding 
A; and executing the input l2. Context unfold(4ı) is also a reduction of A1. 
Observe that unfold( A1) contains two distinct holes indexed by 1. 


Given an extended context A and a set of hole indices K such that K C 
holes(A), we use the following shorthands. Given a type T; for each k € K, 
we write A|T;,|"€* for the extended context obtained by replacing each hole 
k € K in A by Ty. Also, given an extended context A’ we write A(A’)* for 
the extended context obtained by replacing each hole k € K in A by A’. When 
K = {k}, we often omit K and write, e.g., A(A’)* and A|T; |”. 


Example 10. Using the above notation and posing A = &{tc : []', done : []?}, 
we can rewrite TY (Figure 2) as A(A|T4]|') Lut”. @ {tm : t”, over : end} |?. 


Example 11. Consider the session type below 
S= &{ly : & {ly : Lis Ip : Tə, ls : Ta}, Ip : &{ly : Ti, Ip : To, l3 : T3}, l3 : T3}. 


Posing A = &{l : []*,l2 : []?, l3 : []8} we have holes(A) = {1,2,3}. Assuming 
J = {1,2} and K = {3}, we can rewrite S as A(A[T;|9€7)7|T, |*&*. 


Example 12. Figure 3 shows the partial simulation tree for Ts < T4, from Fig- 
ures 1 and 2 (ignore the dashed edges for now). Notice how the branch leading 
to the top part of the tree visits only finitely many node labels (see dotted box), 
however the bottom part of the tree generates infinitely many labels, see the 
path along the !tm transitions in the dashed box. 
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Fig. 3. Simulation tree for Ts < T4 (Figures 1 and 2), the root of the tree is in bold. 


Witness subtrees Next, we define witness trees which are finite subtrees of a 
simulation tree which we prove to be successful. The role of the witness subtree 
is to identify branches that satisfy a certain accumulation pattern. It detects an 
input context A whose holes fall in two categories: (i) growing holes (indexed 
by indices in J below) which lead to an infinite growth and (ii) constant holes 
(indexed by indices in K below) which stay stable throughout the simulation 
game. The definition of witness trees relies on the notion of ancestor of a node 
n, which is a node n’ (different from n) on the path from the root no to n. We 
illustrate witness trees with Figure 3 and Example 13. 


Definition 13 (Witness Tree). A tree (N,no,—, 2) is a witness tree for A, 
such that holes(A) = I, with® C K CI and J = I \ K, if all the following 


conditions are satisfied: 


1. for alln E€ N either A(n) = (T, A {A| S} JIS)? [Sz] E*) or 
Aln) = (T, A (ALAL Sj JIET) |S, |*E*), where A’ is a reduction of A, and 
it holds that 
— holes(A’') C K implies that n is a leaf and 
— if A(n) = (T, A[S;]*</) and n is not a leaf then unfold(T) starts with an 
output selection; 


2. each leaf n of the tree satisfies one of the following conditions: 
(a) A(n) = (T, S) and n has an ancestor n’ s.t. (n') = (T, S) 
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(b) A(n) = (T, A(ALS; |9€7)7 Sk] ESE) andn has an ancestor n’ s.t. A(n’) = 
(TAS =") 
(c) A(n) = (T, A[S;]**7) and 
n has an ancestor n’ s.t. A(n’) = (T, A(A| S ]9€7)7 |S; | =*) 
(d) A(n) = (T, A'[Sx]¥€®) where K' C K 
and for all leaves (T, S) of type (2c) or (2d) T< S holds. 


Intuitively Condition (1) says that a witness subtree consists of nodes that 
are labelled by pairs (T, S) where S contains a fixed context A (or a reduc- 
tion/repetition thereof) whose holes are partitioned in growing holes (J) and 
constant holes (K). Whenever all growing holes have been removed from a pair 
(by reduction of the context) then this means that the pair is labelling a leaf of 
the tree. In addition, if the initial input is limited to only one instance of A, the 
l.h.s. type starts with an output selection so that this input cannot be consumed 
in the subtyping simulation game. 

Condition 2 says that all leaves of the tree must validate certain conditions 
from which we can infer that their continuations in the full simulation tree 
lead to successful branches. Leaves satisfying Condition (2a) straightforwardly 
lead to successful branches as the subtyping simulation game, starting from the 
corresponding pair, has been already checked starting from its ancestor having 
the same label. Leaves satisfying Condition (2b) lead to an infinite but regular 
“increase” of the types in J-indexed holes — following the same pattern of 
accumulation from their ancestor. The next two kinds of leaves must additionally 
satisfy the subtyping relation — using witness trees inductively or based on the 
fact they generate finitely many labels. Leaves satisfying Condition (2c) lead 
to regular “decrease” of the types in J-indexed holes — following the same 
pattern of reduction from their ancestor. Leaves satisfying Condition (2d) use 
only constant K-indexed holes because, by reduction of the context A’, the 
growing holes containing the accumulation A have been removed. 


Remark 1. Definition 13 is parameterised by an input context A. We explain how 
such contexts can be identified while building a simulation tree in Section 5. 


Example 13. In the tree of Figure 3 we highlight two subtrees. The subtree in the 
dotted box is not a witness subtree because it does not validate Condition (1) of 
Definition 13, i.e., there is an intermediary node with a label in which the r-h.s 
type does not contain A. 

The subtree in the dashed box is a witness subtree with 3 leaves, where the 
dashed edges represent the ancestor relation, A = &{tc : []!, done : []?}, J = {1} 
and K = {2}. We comment on the leaves clockwise, starting from (end, end), 
which satisfies Condition (2d). The next leaf satisfies condition (2c), while the 
final leaf satisfies Condition (2b). 


Algorithm Given two session types T and S we first check whether S' is uncon- 
trollable. If this is the case we immediately conclude that T < S. Otherwise, we 
proceed in four steps. 
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S1 We compute a finite fragment of simtree(T, S), stopping whenever (i) we 
encounter a leaf (successful or not), (ii) we encounter a node that has an ancestor 
as defined in Definition 13 (Conditions (2a), (2b), and (2c)), (iii) or the length 
of the path from the root of simtree(T,S) to the current node exceeds a bound 
set to two times the depth of the AST of S. This bound allows the algorithm to 
explore paths that will traverse the super-type at least twice. We have empirically 
confirmed that it is sufficient for all examples mentioned in Section 5. 

S2 We remove subtrees from the tree produced in S1 corresponding to successful 
branches of the simulation game which contain finitely many labels. Concretely, 
we remove each subtree whose each leaf n is either successful or has an ancestor 
n’ such that n’ is in the same subtree and A(n) = A(n’). 

S3 We extract subtrees from the tree produced in S2 that are potential can- 
didates to be subsequently checked. The extraction of these finite candidate 
subtrees is done by identifying the forest of subtrees rooted in ancestor nodes 
which do not have ancestors themselves. 

S4 We check that each of the candidate subtrees from S3 is a witness tree. 


If an unsuccessful leaf is found in S1, then the considered session types are not 
related. In S1, if the generation of the subtree reached the bound before reaching 
an ancestor or a leaf, then the algorithm is unable to give a decisive verdict, i.e., 
the result is unknown. Otherwise, if all checks in S4 succeed then the session 
types are in the fair asynchronous subtyping relation. In all other cases, the 
result is unknown because a candidate subtree is not a witness. 


Example 14. We illustrate the algorithm above with the tree in Figure 3. Af- 
ter S1, we obtain the whole tree in the figure (11 nodes). After S2, all nodes in 
the dotted boxed are removed. After S3 we obtain the (unique) candidate sub- 
tree contained in the dashed box. This subtree is identified as a witness subtree 
in S4, hence we have Ts < Tg. 


We state the main theorem that establishes the soundness of our algorithm, 
where —* is the reflexive and transitive closure of —. 


Theorem 5. Let T and S be session types s.t. simtree(T,S) = (N,no,—, A). If 
simtree(T, S) contains a witness subtree with root n then for every node n’ € N 
s.t. n —>* n', either n’ is a successful leaf, or there exists n” s.t. n! —> n". 


We can conclude that if the candidate subtrees of simtree(T,S) identified 
with the strategy explained above are also witness subtrees, then we have T < S. 


5 Implementation 


To evaluate our algorithm, we have produced a Haskell implementation of it, 
which is available on GitHub [31]. Our tool takes two session types T and S$ 
as input then applies Steps S1 to S4 to check whether T < S. A user-provided 
bound can be given as an optional argument. We have run our tool on a dozen 
of examples handcrafted to test the limits of our algorithm (inc. the examples 
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discussed in this paper), as well as on the 174 tests taken from [6]. All of these 
tests terminate under a second. 

For debugging and illustration purposes, the tool can optionally generate 
graphical representations of the simulation and witness trees, and check whether 
the given types are controllable. We give examples of these in [9]. 

Our tool internally uses automata to represent session types and uses strong 
bisimilarity instead of syntactic equality between session types. Using automata 
internally helps us identify candidate input contexts as we can keep track of 
states that correspond to the input context computed when applying Case (4) 
of Definition 12. In particular, we augment each local state in the automata 
representation of the candidate supertype with two counters: the c-counter keeps 
track of how many times a state has been used in an input context; the h- 
counter keeps track of how many times a state has occurred within a hole of an 
input context. We illustrate this with Figure 4 which illustrates the internal data 
structures our tool manipulates when checking Tg < T4 from Figures 1 and 2. 
The state indices of the automata in Figure 4 correspond to the ones in Figure 1 
(2"¢ column) and Figure 2 (3"¢ column). 

The first row of Figure 4 represents the root of the simulation tree, where 
both session types are in their respective initial state and no transition has been 
executed. We use state labels of the form ne, where n is the original identity 
of the state, c is the value of the c-counter, and h is the value of the h-counter. 
The second row depicts the configuration after firing transition !tm, via Case (4) 
of Definition 12. While the candidate subtype remains in state 0 (due to a self- 
loop) the candidate supertype is unfolded with selUnfold(T%) (Definition 10). 
The resulting automaton contains an additional state and two transitions. All 
previously existing states have their h-counter incremented, while the new state 
has its c-counter incremented. The third row of the figure shows the configuration 
after firing transition !over, using Case (4) of Definition 12 again. In this step, 
another copy of state 0 is added. Its c-counter is set to 2 since this state has been 
used in a context twice; and the h-counters of all other states are incremented. 

Using this representation, we construct a candidate input context by building 
a tree whose root is a state qe, such that c > 1. The nodes of the tree are 
taken from the states reachable from q.,,, stopping when a state q/, w Such that 
c’ < cis found. A leaf q, w becomes a hole of the input context. The hole 
is a constant (K) hole when h’ = c, and growing (J) otherwise. Given this 


strategy and the configurations in Figure 4, we successfully identify the context 
A= &{tc : |]!, done : []?} with J = {1} and K = {2}. 


6 Related and Future Work 


Related work We first compare with previous work on refinement for asyn- 
chronous communication by some of the authors of this paper. The work in [10] 
also considers fair compliance, however here we consider binary (instead of mul- 
tiparty) communication and we use a unique input queue for all incoming mes- 
sages instead of distinct named input channels. Moreover, here we provide a 
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Last transition | State of Ts Representation of Tg 
€ 0 
tm 0 
lover 1 


Fig. 4. Internal representation of the simulation tree for Ts < T4 (fragment). 


sound characterisation of fair refinement using coinductive subtyping and pro- 
vide a sound algorithm and its implementation. In [13] the asynchronous sub- 
typing of [7,14, 15,26] is used to characterise refinement for a notion of correct 
composition based on the impossibility to reach a deadlock, instead of the possi- 
bility to reach a final successful configuration as done in the present paper. The 
refinement from [13] does not support examples such as those in Figure 1. 
Concerning previous notions of synchronous subtyping, Gay and Hole [17,18] 
first introduced the notion of subtyping for synchronous session types, which is 
decidable in quadratic time [22]. This subtyping only supports covariance of out- 
puts and contravariance of inputs, but does not address anticipation of outputs. 
Padovani studied a notion of fair subtyping for synchronous multi-party session 
types in [29]. This work notably considers the notion of viability which corre- 
sponds, in the synchronous multiparty setting, to our notion of controllability. 
We use the term controllability instead of viability following the tradition of 
service contract theories like those based on Petri nets [25,33] or process cal- 
culi [12]. In contrast to [29], asynchronous communication makes it much more 
involved to characterise controllability in a decidable way, as we do in this pa- 
per. Fair refinement in [29] is characterised by defining a coinductive relation 
on normal form of types, obtained by removing inputs leading to uncontrollable 
continuations. Instead of using normal forms, we remove these inputs during 
the asynchronous subtyping check. A limited form of variance on output is also 
admitted in [29]. Covariance between the outputs of a subtype and those of 
a supertype is possible when the additional branches in the supertype are not 
needed to have compliance with potential partners. In [29] this check is made 
possible by exploiting a difference operation [29, Definition 3.15] on types, which 
synthesises a new type representing branches of one type that are absent in the 
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other. We observe that the same approach cannot work to introduce variance 
on outputs in an asynchronous setting. Indeed the interplay between output an- 
ticipation and recursion could generate differences in the branches of a subtype 
and a supertype that cannot be statically represented by a (finite) session type. 

Padovani also studied an alternative notion of fair synchronous subtyping 
in [28]. Although the contribution of that paper refers to session types, the for- 
mal framework therein seems to deviate from the usual session type approach. 
In particular, it considers shared channel communication instead of binary chan- 
nels: when a partner emits a message, it is possible to have a race among several 
potential receivers for consuming it. As a consequence of this alternative seman- 
tics, the subtyping in [28] does not admit variance on input. Another difference 
with respect to session type literature is the notion of success among interacting 
sessions: a composition of session is successful if at least one participant reaches 
an internal successful state. This approach has commonalities with testing [27], 
where only the test composed with the system under test is expected to succeed, 
but differs from the typical notion of success considered for session types. In [2,3] 
(resp. [14]) it was proved that the Gay-Hole synchronous session subtyping (resp. 
orphan message free asynchronous subtyping) coincides with refinement induced 
by a successful termination notion requiring interacting processes to be both in 
the end state (with empty buffers, in the asynchronous case). 

Several variants of asynchronous session subtyping have been proposed in [14, 
15,26] and further studied in our earlier work [6,7,13]. All these variants have 
been shown to be undecidable [7, 8,23]. Moreover, all these subtyping relations 
are (implicitly) based on an unfair notion of compliance. Concretely, the defi- 
nition of asynchronous subtyping introduced in this paper differs from the one 
in [14,15] since no additional constraint guaranteeing absence of orphan-messages 
is considered. Such a constraint requires the subtype not to have output loops 
whenever an output anticipation is performed, thus guaranteeing that at least 
one input is performed in all possible paths. In this paper, absence of orphan 
messages is guaranteed by enforcing types to (fairly) reach a successful termi- 
nation. Moreover, our novel subtyping differs from those in [14, 15, 26] since we 
use recursive input contexts (and not just finite ones) for the first time — this 
is necessary to obtain T4 < Tg and Ts < Tg (see Figures 1 and 2). Notice that 
not imposing the above mentioned orphan-message-free constraint of [14,15] is 
consistent with recursive input contexts that allows for input loops in the super- 
type whenever an output anticipation is performed. In [6], we proposed a sound 
algorithm for the asynchronous subtyping in [14]. The sound algorithm that we 
present in this paper substantially differs from that of [6]. Here we use witness 
trees that take under consideration both increasing and decreasing of accumu- 
lated input. In [6], instead, only regular growing accumulation is considered. 


Future work In future work, we will investigate how to support output variance 
in fair asynchronous subtyping. We also plan to study fairness in the context 
of asynchronous multiparty session types, as fair compliance and refinement 
extend naturally to several partners. Finally, we will investigate a more refined 
termination condition for our algorithm using ideas from [6, Definition 11]. 
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Abstract. Broadcast consensus protocols (BCPs) are a model of com- 
putation, in which anonymous, identical, finite-state agents compute by 
sending/receiving global broadcasts. BCPs are known to compute all 
number predicates in NL = NSPACE(logn) where n is the number of 
agents. They can be considered an extension of the well-established 
model of population protocols. This paper investigates execution time 
characteristics of BCPs. We show that every predicate computable by 
population protocols is computable by a BCP with expected O(n log n) 
interactions, which is asymptotically optimal. We further show that every 
log-space, randomized Turing machine can be simulated by a BCP with 
O(n log n-T) interactions in expectation, where T is the expected runtime 
of the Turing machine. This allows us to characterise polynomial-time 
BCPs as computing exactly the number predicates in ZPL, i.e. predicates 
decidable by log-space, randomised Turing machine with zero-error in ex- 
pected polynomial time where the input is encoded as unary. 


Keywords: broadcast protocols - complexity theory - distributed com- 
puting 


1 Introduction 


In recent years, models of distributed computation following the computation-by- 
consensus paradigm attracted considerable interest in research (see for example 
[9,25,26,8,13]). In such models, network agents compute number predicates, i.e. 
Boolean-valued functions of the type N* — {0,1}, by reaching a stable consen- 
sus whose value determines the outcome of the computation. Perhaps the most 
prominent model following this paradigm are population protocols [5,6], a model 
in which anonymous, identical, finite-state agents interact randomly in pairwise 
rendezvous to agree on a common Boolean output. 

Due to anonymity and locality of interactions, it is an inherent property of 
population protocols that agents are generally unable to detect with absolute 
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certainty when the computation has stabilized. This makes sequential composi- 
tion of protocols difficult, and further complicates the implementation of control 
structures such as loops or branching statements. To overcome this drawback, 
two kinds of approaches have been suggested in the literature: 1.) Let agents 
guess when the computation has stabilized, leading to composable, but merely 
approximately correct protocols [7,24], or 2.) extend population protocols by 
global communication primitives that enable agents to query global properties 
of the agent population [13,8,26]. 

Approaches of the first kind are for the most part based on simulations of 
global broadcasts by means of epidemics. In epidemics-based approaches the 
spread of the broadcast signal is simulated by random pairwise rendezvous, 
akin to the spread of a viral epidemic in a population. When the broadcasting 
agent meets a certain fraction of “infected” agents, it may decide with reasonable 
certainty that the broadcast has propagated throughout the entire population, 
which then leads to the initiation of the next computation phase. Of course, the 
decision to start the next phase may be premature, in which case the rest of 
the execution may be faulty. However, epidemics can also be used to implement 
phase clocks that help keep the failure probability low (see e.g. [7]). 


In [13], Blondin, Esparza, and one of the authors of this paper introduced 
broadcast consensus protocols (BCPs), an extension of population protocols by 
reliable, global, and atomic broadcasts. BCPs find their precursor in the broad- 
cast protocol model introduced by Emerson and Namjoshi in [17] to describe 
bus-based hardware protocols. This model has been investigated intensely in 
the literature, see e.g. [18,19,15,28]. Broadcasts also arise naturally in biological 
systems. For example, Uhlendorf et al. analyse applications of broadcasts in the 
form of an external, global light source for controlling a population of yeasts [12]. 


The authors of [13] show that BCPs compute precisely the predicates in 
NL = NSPACE(logn), where n is the number of agents. For comparison, it is 
known that population protocols compute precisely the Presburger predicates, 
which are the predicates definable in the first-order theory of the integers with 
addition and the usual order; a class much less expressive than the former. 


An epidemics-based approach was used in [7] to show that population pro- 
tocols can simulate with high probability a step of a virtual register machine 
with expected O(nlog?(n)) interactions, where n is the number of agents. This 
result stimulated further research into time bounds for classical problems such 
as leader election (see e.g. [21,1,16,29,11]) and majority (see e.g. [4,2]). In their 
seminal paper [5], Angluin et al. already showed that population protocols can 
stably compute Presburger predicates with O(n? log n) interactions in expecta- 
tion. Belleville et al. further showed that leaderless protocols require a quadratic 
number of interactions in expectation to stabilize to the correct output for a 
wide class of predicates [10]. The aforementioned bounds apply to stabilisation 
time: the time it takes to go from an initial configuration to a stable consensus 
that cannot be destroyed by future interactions. In [24], Kosowski and Uznanski 
considered the weaker notion of convergence time: the time it takes on average 
to ultimately transition to the correct consensus (although this consensus could 
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in principle be destroyed by future interactions), and they show that sublinear 
convergence time is achievable. 

By contrast, to the best of our knowledge, time characteristics of BCPs have 
not been discussed in the literature. The NL-powerful result presented in [13] does 
not establish any time bounds. In fact, [13] only considers a non-probabilistic 
variant of BCPs with a global fairness assumption instead of probabilistic choices. 


Contributions of the paper. This paper initiates the runtime analysis of 
BCPs in terms of expected number of interactions to reach a stable consensus. 
To simplify the definition of probabilistic execution semantics, we introduce a 
restricted, deterministic variant of BCPs without rendezvous transitions. In Sec- 
tion 2, we define probabilistic execution semantics for the restricted version of 
BCPs, and we provide an introductory example for a fast protocol computing 
majority in Section 3. 

In Section 4, we show that these restrictions of our BCP model are incon- 
sequential in terms of expected number of interactions: both rendezvous and 
nondeterministic choices can be simulated with a constant runtime overhead. 

In Section 5, we show that every Presburger predicate can be computed by 
BCPs with O(n log n) interactions and with constant space, where n denotes the 
number of agents in the population. This result is asymptotically optimal. 

In more generality, in Section 6, we use BCPs to simulate Turing machines 
(TMs). In particular, we show that any randomised, logarithmically space-bound, 
polynomial-time TM can be simulated by a BCP with an overhead of O(n log n) 
interactions per step. Conversely, any polynomial-time BCP can be simulated by 
such a TM. This result can be considered an improvement of the NL bound from 
[13], now in a probabilistic setting. We also give a corresponding upper bound, 
which yields the following succinct characterisation: polynomial-time BCPs com- 
pute exactly the number predicates in ZPL, which are the languages decidable 
by randomised log-space polynomial-time TMs with zero-error (the log-space 
analogue to ZPP). 

Bounding the time requires a careful analysis of each step in the simulation 
of the Turing machine. Thus, our proof diverges in significant ways from the 
proof establishing the NL lower bound in [13]. Most notably, we now make use 
of epidemics in order to implement clocks that help reduce failure rates. 


2 Preliminaries 


Complexity classes. As is usual, we define NL as the class of languages decid- 
able by a nondeterministic log-space TM. Additionally, by ZPL we denote the 
set of languages decided by a randomised log-space TM A, s.t. A only terminates 
with the correct result (zero-error) and that it terminates within O(poly n) steps 
in expectation, as defined by Nisan in [27]. 

Multisets. A multiset over a finite set E is a mapping M: E — N. The set 
of all multisets over Æ is denoted NF. For every e € E, M(e) denotes the 
number of occurrences of e in M. We sometimes denote multisets using a set- 
like notation, e.g. l f, g, g is the multiset M such that M(f) = 1, M(g) = 2 and 
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M(e) = 0 for every e E€ E\{f,g}. Addition, comparison and scalar multiplication 
are extended to multisets componentwise, i.e. (M + M’)(e) = M(e) + M’(e), 
(AM)(e) = AM(e) and M < M! <4 M(e) < M'(e) for every M, M' € NÌ, 
e € E, and \ € N. For M’ < M we also define componentwise subtraction, i.e. 
(M—M')(e) = M(e)—M'(e) for every e € E. For every e € E, we write e = (eS. 
We lift functions f: E > E’ to multisets by defining f(M)(e’) = Z fejz M(e) 
for e' € E’. Finally, we define the support and size of M € NË respectively as 
[M] = {e € E : M(e) > 0} and |M| = 6, M(e). 

Broadcast Consensus Protocols. A broadcast consensus protocol [13] (BCP) 
is a tuple P = (Q, X, 8, I, O) where 


— Q is a non-empty, finite set of states, 

— X is a non-empty, finite input alphabet, 

— 6 is the transition function (defined below), 
— I: X + Q is the input mapping, and 

— OC Qisa set of accepting states. 


The function ô maps every state q E€ Q to a pair (r, f) consisting of the 
successor state r E€ Q and the response function f: Q > Q. 


Configurations. A configuration is a multiset C € NS. Intuitively, a configu- 
ration C describes a collection of identical finite-state agents with Q as set of 
states, containing C (q) agents in state q for every q € Q. We say that C € NE 
is a 1-consensus if [C] C O, and a 0-consensus if [C] C Q \ O. 


Step relation. A broadcast (q) = (r, f) is executed in three steps: (1) an agent 
at state q broadcasts a signal and leaves q; (2) all other agents receive the signal 
and move to the states indicated by the function f, i.e. an agent in state s moves 
to f(s); and (3) the broadcasting agent enters state r. 

Formally, for two configurations C,C’ we write C —> C’, whenever there 
exists a state q € Q s.t. C(q) > 1, 6(¢) = (r, f), and C” = f(C — q) + r is the 
configuration computed from C by the above three steps. By *, we denote the 
reflexive-transitive closure of >. 

For example, consider a configuration C © (a, a, b$ and a broadcast transition 
a > b, {a > c,b d}. To execute this transition, we move an agent from state 
a to state b and apply the transition function to all other agents, so we end up 
in C’ = 2b§ + lc, d$. 

Broadcast transitions. We write broadcast transitions as q œ> r,S with S 
a set of expressions q’ +> r’. This refers to ô(q) = (r, f), with f(q') = r’ for 
(q! +r’) € S. We usually omit identity mappings gq’ +> q’ when specifying S. 

For graphic representations of broadcast protocols we use a different notation, 
which separates sending and receiving broadcasts. There we identify a transition 
6(q) = (r, f) with a name a and specify it by writing q 1%, r and q' 2% r’ for 


f(q) = 1". Intuitively, q! 2%, r’ can be understood as an agent transitioning 


from q’ to r’ upon receiving the signal a, and q 1%, r means that an agent in 
state q may transmit the signal a and simultaneously transition to state r. 
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As defined, 6 is a total function, so each state is associated with a unique 
broadcast. If we do not specify a transition 6(q) = (r, f) explicitly, we assume 
that it simply maps each state to itself, i.e. q > q, {r > r:r € Q}. We refer to 
those transitions as silent. 


Executions. An execution is an infinite sequence m = CoC1C2... of config- 


urations with C; — Cj41 for every i. It has some fixed number of agents 
def 


n = |Co| = |Ci| = ... . Given a BCP and an initial configuration Co € N®, 
we generate a random execution with the following Markov chain: to perform 
a step at configuration C;, a state q € Q is picked at random with probability 
distribution p(q) = Ci(q)/|C;i|, and the (uniquely defined) transition 6(q) is exe- 
cuted, giving the successor configuration Cj41. We refer to the random variable 
corresponding to the trace of this Markov chain as random execution. 


Stable Computation. Let 7 denote an execution and inf(7) the configurations 
occurring infinitely often in 7. If inf (7) contains only b-consensuses, we say that 
T stabilises to b. For a predicate y : NY — {0,1} we say that P (stably) computes 
y, if for all inputs X € N¥, the random execution of P with initial configuration 
Co = I(X) stabilises to y(X) with probability 1. 

Finally, for an execution 7 = CoC C3... we let Ty denote the smallest 7 s.t. all 
configurations in C;Cj+1... are p(X )-consensuses, or œ if no such 7 exists. We say 
that a BCP P computes p within f(n) interactions, if for all initial configurations 
Co with n agents the random execution 7 starting at Co has E(T,,) < f(n) < œ, 
i.e. P stabilises within f(n) steps in expectation. If f € O(poly(n)), then we call 
P a polynomial-time BCP. 


Global States. Often, it is convenient to have a shared global state between all 
agents. If, fora BCP P = (Q, X, ô, I, O) we have Q = S x G, I(X) C Q x {j} for 
some j € G, and f((s,7)) € Q x {j’} for each ô((q, j)) = ((r, j’), f), then we say 
that P has global states G. A configuration C has global state j, if [C] C Q x {7} 
for j € G. Note that, starting from a configuration with global state j, P can 
only reach configurations with a global state. Hence for P we will generally only 
consider configurations with a global state. To make our notation more concise, 
when specifying a transition 6(q) = (r, f) for P, we will write f as a mapping 
from S to S, as q,r already determine the mapping of global states. 


Population Protocols. A population protocol [5] replaces broadcasts by local 
rendezvous. It can be specified as a tuple (Q, X,ô,I,O) where Q, X, I, O are 
defined as in BCPs, and 6: Q? —> Q? defines rendezvous transitions. A step 
of the protocol at C is made by picking two agents uniformly at random, and 
applying 6 to their states: first qı € Q is picked with probability C(q)/|C\, 
then q € Q is picked with probability C’(q2)/|C’|, where C” = C — lqı 5. The 
successor configuration then is C — (qi, q2§ + (71,1725 where 6(q1, q2) = (11,12). 


Broadcast Protocols. Later on we will construct BCPs out of smaller building 
blocks which we call broadcast protocols (BPs). A BP is a pair (Q,6), where Q 
and 6 are defined as for BCPs. We extend the applicable definitions from above 
to BPs, in particular the notions of configurations, executions, and global states. 
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3 Example: Majority 


C) initial states 


O) accepting states 


Fig. 1. A fast broadcast consensus protocol computing the majority predicate. 


As an introductory example, we construct a broadcast consensus protocol for 
the majority predicate p(x, y) = x > y. Figure 1 depicts the protocol graphically. 
We have the set of states {xz,y,o} x {0,1}, with global states {0,1}, where the 

def 


states O = {(x,1),(y,1), (o,1)} are accepting, and I(x) = (2,0) and I(y) = 
(y,0). The transitions are 


(x,0) > (9,1), 0 (a) 
(y, 1) + (6,0), 0 (8) 


Note that we use the more compact notation for transitions in the presence 
of global states, written in long form (a) would be 


(2,0) > (9,1), {(@, 0) (a, 1), (y,0) => (y, 1), (0,0)  (o, DF (a) 


To make the presentation of the following sample execution more readable, 
we shorten the state (i, j) to ij. For input x = 3 and y = 2, an execution could 
look like this: 


l£o, £0, £0, Yo, YoS $ (01,1, 21, 41,415 Æ loo, Lo, £o, 0, YoS 
5 (91,01, 21,01, yt) £, (0,90, £o, 0, 0) Ss (91,01, 01,01, O15 


Intuitively, there is a preliminary global consensus, which is stored in the 
global state. Initially, it is rejecting, as x > y is false in the case z = y = 0. 
However, any x agent is enough to tip the balance, moving to an accepting global 
state. Now any y agent could speak up, flipping the consensus again. 

The two factions initially belonging to x and y, respectively, alternate in this 
manner by sending signals a and p. Strict alternation is ensured as an agent will 
not broadcast to confirm the global consensus, only to change it. 

After emitting the signal, the agent from the corresponding faction goes 
into state ©, where it can no longer influence the computation. In the end, the 
majority faction remains and determines the final consensus. 

Considering these alternations with shrinking factions, the expected number 


n 


of steps of the protocol until stabilization can be bounded by 2$}; n/k = 
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O(nlogn). To see that this holds, we consider the factions separately: let ng 
denote the number of agents the first faction starts with (i.e. agents initially in 
state (x,0)), and nı the number at the end. When we are waiting for the first 
transition of this faction all no agents are enabled, so we wait n/no steps in 
expectation until one of them executes a broadcast. For the next one, we wait 
n/(no — 1) steps. In total, this yields X>}, 4, n/k < Df, n/k steps for the 
first faction, and via the same analysis for the second as well. 

In contrast to the O(n log n) interactions this protocol takes, constant-state 
population protocols require n? interactions in expectation for the computation 
of majority [4]. However, these numbers are not directly comparable: broadcasts 
may not be parallelizable, while it is uncontroversial to assume that n rendez- 
vous occur in parallel time 1. 


4 Comparison with other Models 


To facilitate the definition of an execution model, we only consider deterministic 
BCPs, in the sense that for each state there is a unique transition to execute. 
Blondin, Esparza and Jaax [14] analysed a more general model, i.e. they al- 
low multiple transitions for a single state, picking one of them uniformly at 
random when an agent in that state sends a broadcast. Additionally, as they 
consider BCPs as an extension of population protocols, they include rendez- 
vous transitions. We now show that we can simulate both extensions within a 
constant-factor overhead. 


4.1 Non-Deterministic Broadcast Protocols 


The following construction allows for two broadcast transitions to be executed 
uniformly at random from a single state. This can easily be extended to any 
constant number of transitions using the usual construction of a binary tree 
with rejection sampling. 

Now assume that we are given a BCP (Q, X,ôo, I, F) with another set of 
broadcast transitions ô; and we want each agent to pick one transition uniformly 
at random from do or 6; whenever it executes a broadcast. 

We implement this using a synthetic coin, i.e. we are utilising randomness 
provided by the scheduler to enable individual agents to make random choices. 
This idea has also been used for population protocols [1,3]. Compared to these 
implementations, broadcasts allow for a simpler approach. 

The idea is that we partition the agents into types, so that half of the agents 
have type 0 and the other half have type 1. Additionally, there is a global coin 
shared across all agents. To flip the coin, a random agent announces its type 
(the coin is set to heads if the agent is type 0, tails if it is type 1) and a second 
random agent executes a broadcast transition from either ôo or 61, depending on 
the state of the global coin that has just been set. These two steps repeat, the 
former flipping the coin fairly and the latter then executing the actual transitions. 
Figure 2 sketches this procedure. 
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lexec 0 


lexec 1 


Pn 


y 


Fig. 2. Transition diagram for implementing multiple broadcasts per state, for q € 
Q, with (q,i, j) written as q;. Dashed nodes represent multiple states, with j € T. 
Transitions resulting from executing the broadcasts in 69,61 are not shown. 


Intuitively, we start with no agents having either type 0 or 1. When such 
a typeless agent is picked by the scheduler to announce its type (to flip the 
global coin) it instead broadcasts that it is searching for a partner. Once this 
has happened twice, these two agents are matched, one is assigned type 0 and 
the other type 1. Thus we ensure that there is the exact same number of type 
0 and type 1 agents at all times, meaning that we get a perfectly fair coin. 
Additionally we make progress regardless of whether an agent with or without 
a type is chosen. 


To describe the construction formally, we introduce a set of types T = 
{?,+,—,0,1}, and choose the set of states Q’ =QxTx {x,0, 1}, with global 
states {*,0,1} used to represent the state of the synthetic coin. We use (q,?) as 
initial state instead of q € J, and start with global state *. To pick types, we 
need transitions 


(q,?,*) = (q,+,*),{(7,?) => (7, -) : 7 E€ Q} for qEQ (seek) 
GQI@LIMGIFOGD TED eg na) 
Uf{(r, +) (7,0) sr € Q} 
So an agent of type ? announces that it seeks a partner, moving itself to type 
+ and the others to type —. Then any type — agent may broadcast that a match 
has been found, moving itself to type 1 and the type + agent to type 0. The 
other type — agents revert to type ?. This ensures that the number of type 0 
and 1 agents is always equal. Note that there may be an odd number of agents, 
in which case one agent of type + remains. 
The following transitions effectively flip the global coin, by having an agent 
of type 0 or 1 announce that we now execute a broadcast transition from respec- 
tively dg or 61. Here, we have q € Q,o € {0,1}. 


(4,0, *) + (q,0,°), Ø (flip o) 
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Then we actually execute the transition 6,(q) = (r, f), for each (q,i) E Q xT. 


(q,%,0) => (1, 4,*), (8,5) > (F(8),9) : (8,5) €Q x T} (exec o) 


As the number of type 0 and 1 agents is equal, we select transitions from 
ĉo and ô, uniformly at random. It remains to show that the overhead of this 
scheme is bounded. 

Executing transition (exec 0) or (exec 1) is the goal. Transitions (flip 0) and 
(flip 1) ensure that the former are executed in the very next step, so they cause at 
most a constant-factor slowdown. Transitions (seek) and (find) can be executed 
at most n times, as they decrease the number of agent of type ?. All that remains 
is the implicit silent transition of states (q, +, j), which occurs with probability 
at most 1/n in each step. 

Hence, to execute m > n steps of the simulated protocol our construction 
takes at most (2m + 2n) - n/(n — 1) < 8m steps in expectation. 


4.2 Population Protocols 


Another extension to BCPs is the addition of rendez-vous transitions. Here we 
are given a map R: Q? > Q?. At each step, we flip a coin and either execute a 
broadcast transition as usual, or pick two distinct agents uniformly at random, 
in state q and r, respectively. These interact and move to the two states R(q, r). 

Again, we can simulate this extension with only a constant-factor increase 
in the expected number of steps. Given a BCP (Q, X, B,I, F), the idea is to 
add states {¢ : q E€ Q} U {r4 : r,q E Q} and insert “activating” transitions 
qe q, {r > r4: r E€ Q} for q E€ Q and “deactivating” transitions rọ + s,{G@ => 
t} U {uq > u : u E€ Q} for each R(q,r) = (s, t). So a state q first signals that it 
wants to start a rendez-vous transition. Then, any other state r answers, both 
executing the transition and signalling to all other states that it has occurred. 

Each state in Q has exactly 2 broadcast transitions, so (using the scheme de- 
scribed above) the probability of executing any “activating” transition is exactly 
Z, the same as doing one of the original broadcast transitions in B. After doing 
an activating transition we may do nothing for a few steps by executing the 
broadcast transition on g, but eventually we execute a “deactivating” transition 
and go back. The probability of executing a broadcast on ĝ is 1/n, so simulating 
a single rendez-vous transition takes 1 + n/(n — 1) < 3 steps in expectation. 


5 Protocols for Presburger Arithmetic 


While Blondin, Esparza and Jaax [14] show that BCPs are more expressive than 
population protocols, they leave the question open whether BCPs provide a run- 
time speed-up for the class of Presburger predicates computable by population 
protocols. We already saw that Majority can be computed within O(n logn) 
interactions in BCPs. This also holds in general for Presburger predicates: 


Theorem 1. Every Presburger predicate is computable by a BCP within at most 
O(nlogn) interactions. 
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We remark that the O(nlogn) bound is asymptotically optimal: e.g. the 
stable consensus for the parity predicate (x = 1 mod 2) must alternate with 
configuration size, which clearly requires every agent to perform at least one 
broadcast in the computation, and thus yields a lower bound of yea 2 = 
§2(n log n) steps like in the coupon collector’s problem [20]. 

It is known [22] that every Presburger predicate can be expressed as Boolean 
combination of linear inequalities and linear congruence equations over the in- 
tegers, i.e. as Boolean combination of predicates of the form `; aix; < c, and 
>>; aixi = c mod m, where the a;, c and m are integer constants. In Section 5.1 
we construct BCPs that compute arbitrary linear inequalities, before we sketch 
the construction for congruences and Boolean combinations in Section 5.2. 


5.1 Linear Inequalities 


Proposition 1. Let a1,...,ax,¢ E€ Z and let p(ai,..., £k) es om Aix, < 
c denote a linear inequality. There exists a broadcast consensus protocol that 
computes p within O(nlogn) interactions in expectation. 


Proof. We assume wlog that a; Æ O for i = 1,...,k and that ay,...,a, are 
pairwise distinct. Let A = max{lai|,la2|...,|ax|,|c]}. We define a BCP P = 
(Q x G, X,ô,I,O) with global states G, where 


Q = {0, 01,- 0%) D E (iis 345 2k} 
G = [-2A, 2A] O = {(q,v):0<c} 


As inputs we get I(a;) = (a;,0) for each i = 1,...,k. The transitions ô are 
constructed as follows. For every v € [—2A, 2A] and every a; satisfying v + a; € 
[—2A, 2A], we add the following transition to T: 


(ai v) + (0,u+ ai), 0 (ai) 


Intuitively, in the first component of its state an agent stores its contribution 
to 5), aixi, the left-hand side of the inequality. The global state is used to store a 
counter value, initially set to 0. Each agent adds its contribution to the counter, 
as long as it does not overflow. The counter goes from —2A to 2A, which allows 
it to store the threshold plus any single contribution. The final counter value 
then determines the outcome of the computation. 


Correctness. Let ctr(C) denote the global state (and thus current counter 
value) of configuration C. Further, let 


sum(C) = C(a,v)+a+ctr(C) 
(a,v)EQ 


denote the sum of all agents’ contributions and the current value of the counter. 
Every initial configuration Co has ctr(C’) = 0 and thus sum(C) = 5°, axi. Each 
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transition a increases the counter by a but sets the agent’s contribution to 0 
(from a), so sum(C) is constant throughout the execution. 

Recall that our output mapping depends only on the value of the counter, so 
our agents always form a consensus (though not necessarily a stable one). If this 
consensus and (Co) disagree, then, we claim, a non-silent transition is enabled. 

To see this, note that the current consensus depends on whether ctr(C) < c. 
If that is the case, but y(Co) = 0, then sum(C) > c and some agent with positive 
contribution a > 0 exists. Due to ctr(C) < c, transition a is enabled. Conversely, 
if ctr(C) > c and y(Co) = 1, some transition a with a < 0 will be enabled. 

Finally, note that each non-silent transition increases the number of agents 
with contribution 0 by one, so at most n can be executed in total. So the exe- 
cution converges and reaches, by the above argument, a correct consensus. 


Convergence time. Each agent executes at most one non-silent transition. To 
estimate the total number of steps, we partition the agents by their current 
contribution: for a configuration C let Ct © C | {(q,v) € Q : q > 0} denote 
the agents with positive contribution, and define C7 analogously. We have that 
either ctr(C) < 0 and all transitions of agents in Ct would be enabled, or 
ctr(C) > 0 and the transitions of C~ could be executed. 

If Ct is enabled, then we have to wait at most n/|CT| steps in expectation 
until a transition is executed, which reduces |C*| by one. In total we get n/|O¢ |+ 
n/((C}|-1)+...+n/1 € O(nlogn). The same holds for C7, yielding our overall 
bound of O(n logn). 


5.2 Modulo Predicates and Boolean Combinations 


Proposition 2. Let y(x1,...,0%) <*> Sar Qizi = c (mod l) < c denote a 
linear inequality, with &1,...,@ak,C,l E€ Z,l > 2. There exists a broadcast con- 
sensus protocol that computes p within O(nlogn) interactions in expectation. 


Proof (sketch). The idea is the same as for Proposition 1, but instead of taking 
care not to overflow the counter we simply perform the additions modulo l. 


Proposition 3 (Boolean combination of predicates). Let p be a Boolean 
combination of predicates ~1,...,~r, which are computed by BCPs P,..., Pk, 
respectively, within O(nlogn) interactions. Then there is a protocol computing 
yp within O(nlogn) interactions. 


Proof (sketch). We do a simple parallel composition of the k BCPs, which is the 
same construction as used for ordinary population protocols (see for example [5, 
Lemma 6]). A detailed proof can be found in the full version of this paper. 


6 Protocols for all Predicates in ZPL 


BCPs compute precisely the predicates in NL with input encoded in unary, 
which corresponds to NSPACE(n) when encoded in binary. The proof of the NL 
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lower bound by Blondin, Esparza and Jaax [14] goes through multiple stages of 
reduction and thus does not reveal which predicates can be computed efficiently. 
We will now take a more direct approach, using a construction similar to the one 
by Angluin, Aspnes and Eisenstat [7]. A step of a randomised Turing machine 
(RTM) can be simulated using variants of the protocols for Presburger predicates 
from Section 5, which we combine with a clock to determine whether the step 
has finished, with high probability. 

Instead of simulating RTMs directly, it is more convenient to first reduce 
them to counter machines. Here, we will use counter machines that are both 
randomised and capable of multiplying and dividing by two, with the latter 
also determining the remainder. This ensures that the reduction is performed 
efficiently, i.e. with overhead of O(n log n) interactions per step. 

We first show the other direction: simulating BCPs with RTMs. 


Lemma 1. Polynomial-time BCPs compute at most the predicates in ZPL with 
input encoded in unary. 


Proof. An RTM can store the number of agents in each state as binary counters. 
Picking an agent uniformly at random can be done in O(log n) time by picking a 
random number between 1 and n and comparing it to the agents in the different 
states. Simulating a transition can also be done with logarithmic overhead. It can 
further be shown that stabilization of the execution is decidable in time O(log n) 
(see the full version of this paper for details). As the BCP uses only O(poly n) 
interactions (in expectation) the RTM is also O(poly n) time-bounded. 


Theorem 2. Polynomial-time BCPs compute exactly the predicates in ZPL with 
input encoded in unary. 


The proof of Theorem 2 will take up the remainder of this section. 


Counter machines. Let Cmd = {mulg, inc, divmodg, iszero} denote a set of 


commands, and Ret = {donep, done;} a set of completion statuses. A multi- 


plicative counter machine with k counters (k-CM) A = (S,7i,72) consists of a 
finite set of states S with init,0,1 € S and two transition functions 71, 72 map- 
ping a state q € S to a tuple (i, j, q6, q1) where i € {1,...,k} refers to a counter, 
j € Cmd is a command, and qj, qi, E S are successor states (qi is not used for 
mul and inc operations). Additionally, we require that 71,72 map q € {0,1} to 
(1, iszero, q, q), effectively executing no operation from those states. 

The idea is that A, starting in state init, picks transitions uniformly at random 
from either Ti or 72. Apart from this randomness, the transitions are determinis- 
tic. Eventually, A ends up in either state 0 or 1, at which point it cannot perform 
further actions, thereby indicating whether the input is accepted or rejected. 


Step-execution function. A CM-configuration is a tuple K = (q, £1, ..., £k) E€ 
Q x NF. We define the step-execution function step as follows, with x € N: 
— step(mul2, £) = (doneo, 2x) 


def 


— step(inc, x) = (doneo, x + 1), 


? 
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— step(divmod, 2x + b) = (dones, x), for b € {0,1}, and 

— step(iszero, £) = (done,, x), where b is 1 if x > 0 and 0 else. 
For two CM-configurations K = (q, £1,..., £k) and K’ = (q',24,...,2/,) where 
To(q) = (i,9,96,q,) for o € {1,2} we write K 2, K’ if step(j, xi) = (dones, x4), 
q = q, for some b € {0,1}, and x, = a! for r # i. Note that for each K and o 
there is exactly one K’ with K 3 K”. 

The reasoning for introducing the step-execution function is that we want to 

construct a broadcast protocol (BP) which simulates just one step of the CM. 
Later on we can use this BP as a building block in a more general protocol. 


Computation. Let y : N! — {0,1} denote a predicate, for l < k, and C € 
N’ an input to y. We sample a random (CM-)execution n = Ko K Ko... for 
input C, where Ko, ... are CM-configurations, via a Markov chain. For the initial 
configuration we have Ko = (init, (1), ...,C(J),0, ...,0), and K; is determined as 
the unique configuration with Kj; 2; K;, where o € {1,2} is chosen uniformly 
at random. (So m is the random variable defined as trace of the Markov Chain.) 

We say that A computes y within f(n) steps if for each C € N! with |C| =n 
the random execution for input C reaches a configuration in {<p(C)} x N* after at 
most f(n) steps in expectation. Finally, A is n-bounded if the random executions 
for inputs C with |C| = n can only reach configurations in Q x NE,- 


Theorem 3. Let y be a predicate decidable by a log-space bounded RTM within 
O(f(n)) steps in expectation with unary input encoding. There exists an n- 
bounded CM that accepts p within O(f(n) log(n)) steps in expectation. 


Proof (sketch). This can be shown by first representing the Turing machine by 
a stack machine with two stacks that contain the tape content to the left/right of 
the current machine head position. In this representation, head movements and 
tape updates amount to performing pop/push operations on the stack. Moreover, 
we can simulate an c- n-bounded stack by c many n-bounded stacks. An n- 
bounded stack, in turn, can be represented in a counter machine with a constant 
number of 2”-bounded counters. The stack content is represented as the base-2 
number corresponding to the binary sequence stored in the stack. Popping then 
amounts to a divmod: operation, and pushing amounts to doubling the counter 
value, followed by adding 1 or 0, respectively. 
A detailed proof can be found in the full version of this paper. 


We formally define two types of BPs, ones that simulate a step of the CM, 
and ones behaving like a clock. 


Definition 1. Let BP P = (Q x G, ô) denote a BP with global states G where 
0,1, LE Q and Cmd, Ret C G. We define the injection y : G x Ncn > NEG as 
y(j,2) “x -U(1,97)5 + (n — x) -U(0,7)5. The configurations in (Cmd x N) are 
called initial, the ones in (Ret x N) final. We call a configuration C failing, if 
C(L,i) >0 for somei €G. 

We say that P is CM-simulating if the sets of final and failing configurations 
are closed under reachability, and from every initial configuration p(j,w) the 
only reachable final configuration is p(step(j, w)), if both are well-defined. 
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Definition 2. Let P = (Q,06) denote a BP with 0,1 € Q and Time(P) the 
number of steps until P, starting in configuration (0,...,05, reaches (1,...,15, or 
oo if it does not. If Time(P) is almost surely finite and no agent is in state 1 
before Time(P), then we call P a clock-BP. 


Now we begin by constructing a CM-simulating BP. The value of a given 
counter is scattered across the population: each agent stores its contribution to 
this counter value in its state. The counter value is the sum of all contributions. 
Usually, an agent’s contribution is either 1 or 0, thus n agents can maximally 
store a counter value equal to n, which is not problematic, since the counter ma- 
chine is assumed to be n-bounded. The difficult part is multiplying and dividing 
the counter by two. Besides contributions 0 and 1, we will also allow interme- 
diate contributions $ and 2. By executing a single broadcast, we can multiply 
(or divide) all the individual contributions by 2, by setting all contributions of 
value 1 to s, or 2, respectively. Then, over time, we “normalise” the agents to all 
have contribution 0 or 1 again in a manner which is specified below. This process 
takes some time, and we cannot determine with perfect reliability whether it is 
finished, so we only bound the time with high probability. Here and in the follow- 
ing, we say that some event (dependent on the population size n) happens with 
high probability, if for all k > 0 the event happens with probability 1 — O(n-*). 

In this and subsequent lemmata we use G(p), for 0 < p < 1, to denote 
the geometric distribution, that is the number of trials until a coin flip with 
probability p succeeds, which has expectation 1/p. We start with a statement 
about the tail distributions of sums of geometric variables. 


Lemma 2. Let n> 3 and Xı,..., Xn denote independent random variables with 
sum X and Xi ~ G(i/n). Then for any k > 1 there is an l s.t. 


P(X >1-nlnn) <n-* 
Proof. See the full version of this paper. 


Lemma 3. There is a CM-simulating BP s.t. starting from an initial configura- 
tion it reaches a final configuration within O(nlogn) steps with high probability. 
Proof. Let P = (Q x G,6d) denote our BP, with Q = {0,4,1,2,*} and G = 
Cmd U Ret U {high}. The following transitions initialise the computation, with 
be {0,1}: 


(b, mula) + (2b, doneo), {1 > 2,0 => 0} (aı) 
(b, divmod2) ++ (£, doneo), {1 => 3,0++ 0} (a2) 
(b, inc) + (b, high), Ø (a3) 


Additionally, we need transitions that move agents back into states 0 and 1. 


(0, high) ++ (1, doneo), Ø (61) 
(2, doneo) ++ (1, high), Ø (b2) 
(4, doneo) ++ (0, done1), Ø (83) 
(Ł,done1) ++ (1, doneo), Ø (Ba) 
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This requires some explanation. Basically, we have the invariant that for a con- 
figuration C the current value of the counter is b+ >i icg jeg? C((i,J)), where 
b is 1 if the global state is high and 0 else. There is a “canonical” representation 
of each counter value, where b = 0 and the individual contributions i € Q are 
only 0 and 1. The transitions (aj-a3) update the represented counter value in 
a single step, but cause a “noncanonical” representation. The transitions (3)- 
84) preserve the value of the counter and cause the representation to eventually 
become canonical. 

This corresponds to final configurations from Definition 1: as long as the 
representation is noncanonical, i.e. an agent with value T 2 or * exists, the 
configuration is not final. Conversely, once we reach a final configuration our 
representation is canonical, and, as the value of the counter is preserved, we 
reach the correct final configuration. 


(1, iszero) ++ (1, done1), Ø (aa) 
(0, iszero) ++ (0, doneo), {1 + *} (as) 
(x, doneo) > (1, done1), {x + 1} (85) 


For iszero we do something similar, but the value of the counter does not change. 
If the initial transition is executed by an agent with value 1, we can go to the 
global state done; directly. Otherwise, we replace 1 by * and go to doneo, so if no 
agents with value 1 exist, we are finished. Else some agent with value * executes 
(85) and we move to the correct final configuration. 

Final configurations can only contain states {0,1} x Ret. As we have no 
outgoing transitions from those states, they are indeed closed under reachability. 

It remains to be shown that starting from a configuration Co we reach a final 
configuration within O(n log n) steps with high probability. Note that transitions 
(a\-a5) are executed at most once. Moreover, these are the only transitions 
enabled at Co, so let Cı denote the successor configuration after executing (a1- 
as), ie. Co > C1. From now on, we consider only transitions (81-85). 

Let M = { 5 2,*} x G denote the set of “noncanonical” states, and, for a 


configuration C, let 6(C) = 2 Žem C(q) +b denote a potential function, with 
b being 1 if the global state of C is high and 0 else. Now we can observe that 
executing a (61-85) transition strictly decreases ®, and that 0 < P(C) < 2n for 
any configuration C. So after at most 2n non-silent transitions, we have reached 
a final configuration. 

Fix some transition (f,;), let q E Q x G denote the state initiating (4;,), 
and let C,C’,C” denote configurations with C Pi C’ =, C”, meaning that 
C” is a configuration reachable from C after executing (8;). Then, we claim, 
C(q) > C” (q). 

To see that this holds for transitions (82-65), note that for i € {4,2,*} the 
number of agents with value 7 can only decrease when executing transitions (81- 
bs). For (81) this is slightly more complicated, as (3) increases the number of 
agents with value 0. However, (81) is reachable only after (a1) or (a3) has been 
executed, while (83) requires (a2). Thus, our claim follows. 
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Fig. 3. State diagram of the clock implementation. Nodes with i agents in state c3 are 
labelled i or it, the latter denoting that the other agents are in states c} and c}. The 
final state * has all agents in state 1. Arcs are labelled with transition probabilities. 


Let Xp denote the number of silent transitions before executing (8;) for the 
k-th time, k = 1,...,/, and let rą denote the number of agents in state q at that 
time. Then n > rı > r2 >... > rı > 1 and Xx is distributed according to 
G(r;,/n). So we can use Lemma 2 to show that the sum of Xp is O(nlogn) with 
high probability. There are only 5 transitions (8;), so the same holds for the 
total number of steps until reaching a final state. 


Our next construction is the clock-BP, which indicates that some amount 
of time has passed (with high probability). Angluin, Aspnes and Eisenstat used 
epidemics for this purpose [7], as do we. The idea is that one agent initiates an 
epidemic and waits until it sees an infected agent. Similar to standard analysis 
of the coupon collector’s problem, this is likely to take O(n log n) time. 


Lemma 4. There is a clock-BP P = (Q,6) s.t. E(Time(P)) € O(nlogn) and 
Time(P) € Q(nlogn) with probability 1 — O(n-'/2). 


Proof (sketch). For a clock we use states {0,1,¢1,¢2,c3,c},c3 } and transitions 
+ + 
OH cf, {0 cy} 
cf e 03, {cf 4 eo, cf Hc} 
2 735 (C2 2, Cy 1 


+ + 
c3 > C3, {C2 OB, C1 cy} 


ct = 1, {ef 1,63 1} 


State 0 is the initial state, 1 the final state. States cı and cə denote “unin- 
fected” agents, state c3 “infected” ones. The former can become activated (moving 
to cf and ct), causing one of them to become infected. Transition (a) marks a 
leader c1, once they are infected the clock ends (via (w)). In (8), a single acti- 
vated agent becomes infected, deactivating the other agents. They get activated 
again via transition (y). The state diagram is shown in Figure 3. 

It remains to show that this protocol fulfils the stated time bounds. We prove 
“(Time(P)) € O(nlogn) by using that, in expectation, the protocol spends at 
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most n/j steps in state j and at most n/(n— j) in state 7+. For the lower bound 
we make a case distinction: either state | y/n] is not visited (i.e. the leader is one 
of the first y/n agents to be infected), or the total number of steps is at least 
X1+...+X| jj, where X; is the number of steps the protocol spends in state 7. 
As X; is geometrically distributed with mean n/j, we apply a tail bound from 
Janson [23] to get the desired result. 

A detailed proof can be found in the full version of the paper. 


While the above clock measures some interval of time with some reliability, 
we want a clock that measures an “arbitrarily long” interval with “arbitrarily 
high” reliability. Constructions for population protocols use phase clocks for this 
purpose, but broadcasts allow us to synchronise the agents, so we can directly 
execute the clock multiple times in sequence instead. 


Lemma 5. Let k € N denote some constant. Then there is a clock-BP P s.t. 
‘(Time(P)) € O(nlogn), and Time(P) < knlogn with probability O(n-*). 


Proof (sketch). The idea is that we run 28k? clocks in sequence, in groups of 
2k. Then it is likely that at least one clock in each group works, yielding the 
overall minimum running time. A detailed proof can be found in the full version 
of this paper. 


As mentioned earlier, we combine the clock with the construction in Lemma 3. 
While we cannot reliably determine whether the operation has finished, we can 
use a clock to measure an interval of time long enough for the protocol to termi- 
nate with high probability. The next construction does just that. In particular, 
in contrast to Lemma 3, it uses its global state to indicate that it is done. 


Lemma 6. There is a CM-simulating BP s.t. starting from an initial configura- 
tion it reaches either a final or a failing configuration C almost surely and within 
O(nlogn) steps in expectation, and C is final with high probability. Additionally, 
all reachable configurations with global state in Ret are final or failing. 


Proof. Fix some k € N and let P = (Q x G,6) denote the BP we want to 
construct. Further, let P; = (Qi x G1, ô1) denote the BP from Lemma 3 and 
choose some c s.t. Pı reaches a final configuration after at most cnlogn steps 
with probability at least 1 — n™*. 

Now we use Lemma 5 to get a clock P2 = (Q2,ô2) that runs for at least 
cnlogn steps with probability at least 1 — n™*. 

We do a parallel composition of Pı and Pz to get P. In particular, Q = 
Qi x Qo, G = {jo : j € Gi} U Ret, where for Q we identify (i,0) with i for 
i € {0,1 L}, and for G we identify j with jo for j € Cmd. 

Intuitively, we use o to rename the global states of Pı, meaning that the 
global state 7 € G1 of Pı is now called jo in our protocol. We want P to start 
with the same initial state we have, which is why we identified j with jə for 
j € Cmd. However, we only want to enter a final configurations once the clock 
has run out, so the completion statuses of Pı are renamed into jo for j € Ret 
and we enter a final configuration by setting to global state to a j € Ret. 
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For each (q1,7) € Qı x Gi and q2 E Qe with 61(q,7) = ((r1, 3"), f1) and 
62(q2) = (r2, f2) we get the transition 


(q1; 42:0) = (71,1725 J6), {(t1, #2) = (filti), f(te)) : tı E€ Qi,t2 © Q2} (a) 


These transitions, together with the way we identified states, ensure that Pı 
and P2 run normally, with the input being passed through to Pı transparently. 
However, note that the final configurations of Pı are not final for P, meaning 
that the protocol never ends. Hence, for qı E€ Q1, j € Ret we add the transition 


(ai, 1, jo) > (41,0, j), {(b, 1) => (6,0): b € {0, 1}} 
U {(i, 1) > (1,0) : i € Qi \ {0,1} 


This terminates the protocol once the clock has run out. If Pı was in a final 
state, we will now enter a final state as well, else we move into a failing state. 


(8) 


Finally, we use the above BP to simulate the full -CM. 


Lemma 7. Fix some predicate p : NF — {0,1} computable by an n-bounded 
I-CM within O(f(n)) C O(poly n) steps. Then there is a BCP computing p in 
O(f(n) nlogn) steps. 


Proof (sketch). For each counter we need n agents, so In in total, but we can 
simply have each agent simulate a constant number of agents. To execute a step 
of the CM, we use the BP from Lemma 6. It succeeds only with high probability, 
but in the case of failure at least one agent will have local state L, from which 
that agent initiates a restart of the whole computation. 

As the CM takes only a polynomial number of steps, we can fix a k s.t. a 
computation of our BCP without failures (i.e. one that succeeds on the first try) 
takes O(n") steps. A single step succeeds with high probability, so we can require 
it to fail with probability at most O(n~*—!). In total, the restarts increase the 
running time by a factor of 1/(1 — O(n~*)), which is only a constant overhead. 

A detailed proof can be found in the full version of this paper. 


This completes the proof of Theorem 2. By Theorem 3, each predicate in 
ZPL (with input encoded in unary) is computable by a bounded l-CM. Lemma 7 
then yields a polynomial-time BCP for that predicate. 

We remark that our reductions also enable us to construct efficient BPPs for 
specific predicates. The predicate POWEROFTWO for example, as described in 
[14, Proposition 3], can trivially be decided by an O(log n)-time bounded RTM 
with input encoded as binary, so there is also a BCP computing that predicate 
within O(n log” n) interactions. 
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Abstract. Finitary Idealized Concurrent Algol (FICA) is a prototypical 
programming language combining functional, imperative, and concurrent 
computation. There exists a fully abstract game model of FICA, which in 
principle can be used to prove equivalence and safety of FICA programs. 
Unfortunately, the problems are undecidable for the whole language, and 
only very rudimentary decidable sub-languages are known. 

We propose leafy automata as a dedicated automata-theoretic formalism 
for representing the game semantics of FICA. The automata use an infi- 
nite alphabet with a tree structure. We show that the game semantics of 
any FICA term can be represented by traces of a leafy automaton. Con- 
versely, the traces of any leafy automaton can be represented by a FICA 
term. Because of the close match with FICA, we view leafy automata as 
a promising starting point for finding decidable subclasses of the lan- 
guage and, more generally, to provide a new perspective on models of 
higher-order concurrent computation. 

Moreover, we identify a fragment of FICA that is amenable to verification 
by translation into a particular class of leafy automata. Using a locality 
property of the latter class, where communication between levels is re- 
stricted and every other level is bounded, we show that their emptiness 
problem is decidable by reduction to Petri net reachability. 


Keywords: Finitary Idealized Concurrent Algol, Higher-Order Concur- 
rency, Automata over Infinite Alphabets, Game Semantics 


1 Introduction 


Game semantics is a versatile paradigm for giving semantics to a wide spectrum 
of programming languages [3,35]. It is well-suited for studying the observational 
equivalence of programs and, more generally, the behaviour of a program in an 
arbitrary context. About 20 years ago, it was discovered that the game semantics 
of a program can sometimes be expressed by a finite automaton or another simple 
computational model [20]. This led to algorithmic uses of game semantics for 
program analysis and verification [1,15,21,5,27,26,28,34,16,17]. Thus far, these 
advances concerned mostly languages without concurrency. 
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In this work, we consider Finitary Idealized Concurrent Algol (FICA) and its 
fully abstract game semantics [22]. It is a call-by-name language with higher- 
order features, side-effects, and concurrency implemented by a parallel composi- 
tion operator and semaphores. It is finitary since, as it is common in this context, 
base types are restricted to finite domains. Quite surprisingly, the game seman- 
tics of this language is arguably simpler than that for the language without 
concurrency. The challenge comes from algorithmic considerations. 

Following the successful approach from the sequential case [20,37,33,36,11], 
the first step is to find an automaton model abstracting the phenomena ap- 
pearing in the semantics. The second step is to obtain program fragments from 
structural restrictions on the automaton model. In this paper we take both steps. 

We propose leafy automata: an automaton model working on nested data. 
Data are used to represent pointers in plays, while the nesting of data reflects 
structural dependencies in the use of pointers. Interestingly, the structural de- 
pendencies in plays boil down to imposing a tree structure on the data. We show 
a close correspondence between the automaton model and the game semantics of 
FICA. For every program, there is a leafy automaton whose traces (data words) 
represent precisely the plays in the semantics of the program (Theorem 3). Con- 
versely, for every leafy automaton, there is a program whose semantics consists 
of plays representing the traces of the automaton (Theorem 5). (The latter result 
holds modulo a saturation condition we explain later.) This equivalence shows 
that leafy automata are a suitable model for studying decidability questions for 
FICA. 

Not surprisingly, due to their close connection to FICA, leafy automata turn 
out to have an undecidable emptiness problem. We use the undecidability ar- 
gument to identify the source, namely communication across several unbounded 
levels, i.e., levels in which nodes can produce an unbounded number of children 
during the lifetime of the automaton. To eliminate the problem, we introduce 
a restricted variant of leafy automata, called local, in which every other level 
is bounded and communication is allowed to cross only one unbounded node. 
Emptiness for such automata can be decided via reduction to a number of in- 
stances of Petri net reachability problem. 

We also identify a fragment of FICA, dubbed local FICA (LFICA), which 
maps onto local leafy automata. It is based on restricting the distance between 
semaphore and variable declarations and their uses inside the term. This is a 
first non-rudimentary fragment of FICA for which some verification tasks are 
decidable. Overall, this makes it possible to use local leafy automata to analyse 
LFICA terms and decide associated verification tasks. 


Related work Concurrency, even with only first-order recursion, leads to unde- 
cidability [39]. Intuitively, one can encode the intersection of languages of two 
pushdown automata. From the automata side, much research on decidable cases 
has concentrated on bounding interactions between stacks representing different 
threads of the program [38,30,4]. From the game semantics side, the only known 
decidable fragment of FICA is Syntactic Control of Concurrency (SCC) [23], 
which imposes bounds on the number of threads in which arguments can be used. 
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This restriction makes it possible to represent the game semantics of programs 
by finite automata. In our work, we propose automata models that correspond 
to unbounded interactions with arbitrary FICA contexts, and importantly that 
remains true also when we restrict the terms to LFICA. Leafy automata are a 
model of computation over an infinite alphabet. This area has been explored ex- 
tensively, partly motivated by applications to database theory, notably XML [41]. 
In this context, nested data first appeared in [7], where the authors considered 
shuffle expressions as the defining formalism. Later on, data automata [9] and 
class memory automata [8] have been adapted to nested data in [14,12]. They are 
similar to leafy automata in that the automaton is allowed to access states re- 
lated to previous uses of data values at various depths. What distinguishes leafy 
automata is that the lifetime of a data value is precisely defined and follows a 
question and answer discipline in correspondence with game semantics. Leafy 
automata also feature run-time “zero-tests”, activated when reading answers. 
For most models over nested data, the emptiness problem is undecidable. To 
achieve decidability, the authors in [14,12] relax the acceptance conditions so 
that the emptiness problem can eventually be recast as a coverability problem 
for a well-structured transition system. In [10], this result was used to show 
decidability of equivalence for a first-order (sequential) fragment of Reduced 
ML. On the other hand, in [7] the authors relax the order of letters in words, 
which leads to an analysis based on semi-linear sets. Both of these restrictions 
are too strong to permit the semantics of FICA, because of the game-semantic 
WAIT condition, which corresponds to waiting until all sub-processes terminate. 
Another orthogonal strand of work on concurrent higher-order programs is 
based on higher-order recursion schemes [24,29]. Unlike FICA, they feature re- 
cursion but the computation is purely functional over a single atomic type o. 


Structure of the paper: In the next two sections we recall FICA and its game 
semantics from [22]. The following sections introduce leafy automata (LA) and 
their local variant (LLA), where we also analyse the associated decision problems 
and, in particular, show that the non-emptiness problem for LLA is decidable. 
Subsequently, we give a translation from FICA to LA (and back) and define a 
fragment LFICA of FICA which can be translated into LLA. We will occasionally 
refer the reader to the full paper [18] which includes appendices with proof details 
and worked examples. 


2 Finitary Idealized Concurrent Algol (FICA) 


Idealized Concurrent Algol [22] is a paradigmatic language combining higher- 
order with imperative computation in the style of Reynolds [40], extended to 
concurrency with parallel composition (||) and binary semaphores. We consider 
its finitary variant FICA over the finite datatype {0,..., max} (maz > 0) with 
loops but no recursion. Its types 0 are generated by the grammar 


6:=B8|0>86 b ::= com | exp | var | sem 
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I'M: exp 
T F- skip : com I+ dive : 0 I Fi: exp T F op(M) : exp 
r} M : com TEN B r} M: com [E-N : com 


TEM: N B Tr} M||N : com 
r} M : exp TPEMN,Ne: B I+ M: exp Tr} N:com 
T H if M then N; else N2 : 8 T H- while M do N : com 
Tac bFM p TEM:030 TEN:6 
T x:0}x:0 TKAr.M:6 3 6 TKMN:0 
I'M: var It N:exp TEM: var 
I+ M:=N:com T H!M : exp 
Ir- M: sem r- M: sem 
I F release( M) : com I F- grab(M) : com 
T, x: var F M : com, exp T, x : sem F M : com, exp 
I} newvar «:=iin M : com, exp I’ newsemz:=iin M : com, exp 


Fig. 1: FICA typing rules 


where com is the type of commands; exp that of {0,..., max}-valued expres- 
sions; var that of assignable variables; and sem that of semaphores. The typing 
judgments are displayed in Figure 1. skip and divg are constants representing 
termination and divergence respectively, i ranges over {0, --- , maz}, and op 
represents unary arithmetic operations, such as successor or predecessor (since 
we work over a finite datatype, operations of bigger arity can be defined using 
conditionals). Variables and semaphores can be declared locally via newvar and 
newsem. Variables are dereferenced using !M, and semaphores are manipulated 
using two (blocking) primitives, grab(s) and release(s), which grab and release 
the semaphore respectively. The small-step operational semantics of FICA is re- 
produced in the full paper [18, Appendix A]. We shall write div for divcom. 


We are interested in contextual equivalence of terms. Two terms are contex- 
tually equivalent if there is no context that can distinguish them with respect to 
may-termination. More formally, a term F M : com is said to terminate, writ- 
ten M |, if there exists a terminating evaluation sequence from M to skip. Then 
contextual (may-)equivalence (I + Mı © Mə) is defined by: for all contexts C 
such that | C[M]: com, C[M,]\) if and only if C[M2] 4}. The force of this notion 
is quantification over all contexts. 

Since contextual equivalence becomes undecidable for FICA very quickly [23], 
we will look at the special case of testing equivalence with terms that always 
diverge, e.g. given I H M : 0, is it the case that  / M = divg? Intuitively, 
equivalence with an always-divergent term means that C[M/] will never converge 
(must diverge) if C uses M. At the level of automata, this will turn out to 
correspond to the emptiness problem. 
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In verification tasks, with the above equivalence test, we can check whether 
uses of M can ever lead to undesirable states. For example, for a given term 
x: var H M : 0, the term 


f :0 —> com newvar z:=0in (f(M) || if !x = 13 then skip else div) 


will be equivalent to div only when x is never set to 13 during a terminating 
execution. Note that, because of quantification over all contexts, f may use M 
an arbitrary number of times, also concurrently or in nested fashion, which is a 
very expressive form of quantification. 


3 Game semantics 


Game semantics for programming languages involves two players, called Oppo- 
nent (O) and Proponent (P), and the sequences of moves made by them can be 
viewed as interactions between a program (P) and a surrounding context (O). In 
this section, we briefly present the fully abstract game model for FICA from [22], 
which we rely on in the paper. The games are defined using an auxiliary concept 
of an arena. 


Definition 1. An arena A is a triple (MA, Aa, Fa) where: 


— Ma is a set of moves; 

— àa : Ma > {0, P} x {Q, A} is a function determining for each m € Ma 
whether it is an Opponent or a Proponent move, and a question or an 
answer; we write bua ag^ for the composite of Aa with respectively the first 
and second projections; 

— Fa is a binary relation on Ma, called enabling, satisfying: if m4 n for no 
m then \4(n) = (O, Q), if m Fa n then A9? (m) A ABP (n), and ifmFa n 
then \24 (m) =Q. 


We shall write I4 for the set of all moves of A which have no enabler; such moves 
are called initial. Note that an initial move must be an Opponent question. 
In arenas used to interpret base types all questions are initial and P-moves 
answering them are detailed in the table below, where i € {0,--- , max}. 


Arena | O-question | P-answers || Arena | O-question | P-answers 


rn done ea : 


More complicated types are interpreted inductively using the product (A x B) 
and arrow (A = B) constructions, given below. 


Maxp=Ma+ Mp Masp=Ma+ Mp 
ÀAxB = [Aa, AB] AASB = KARO, A24), As] 
Faxp=Fattep Ha=»B =Fa +Fpg +{(b,a)| be Ip anda€e Ig} 
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where \4°(m) = O iff A9? (m) = P. We write [6] for the arena corresponding to 
type 0. Below we draw (the enabling relations of) A; = [com — com —> com] 
and Ag = |(var + com) — com] respectively, using superscripts to distinguish 
copies of the same move (the use of superscripts is consistent with our future 
use of tags in Definition 9). 


O run O run 

| Zz I 

P run? run! done P run! done 

1 1 a | 
2 1 <n 
O done“ done O read’! ~write(i)'! donet 

l i 
P iH ok!’ 


Given an arena A, we specify next what it means to be a legal play in A. For 
a start, the moves that players exchange will have to form a justified sequence, 
which is a finite sequence of moves of A equipped with pointers. Its first move 
is always initial and has no pointer, but each subsequent move n must have a 
unique pointer to an earlier occurrence of a move m such that mF, n. We say 
that n is (explicitly) justified by m or, when n is an answer, that n answers m. 
If a question does not have an answer in a justified sequence, we say that it is 
pending in that sequence. Below we give two justified sequences from A; and A2 
respectively. 


ee ES ee 


1 2 ere EINE TENET Gn 
run run’ run* done done“ done run run’ read 0% write(1) = ok read 1 


Not all justified sequences are valid. In order to constitute a legal play, a justi- 
fied sequence must satisfy a well-formedness condition that reflects the “static” 
style of concurrency of our programming language: any started sub-processes 
must end before the parent process terminates. This is formalised as follows, 
where the letters q and a to refer to question- and answer-moves respectively, 
while m denotes arbitrary moves. 


Definition 2. The set P4 of plays over A consists of the justified sequences s 
over A that satisfy the two conditions below. 


FORK : In any prefix s! = -- -4 -M of s, the question q must be pending when 
m is played. 

WAIT : In any prefix s! = ---q=--t of s, all questions justified by q must be 
answered. 


It is easy to check that the justified sequences given above are plays. A subset o 
of P4 is O-complete if s € o and so € P4 imply so € ø, when o is an O-move. 


Definition 3. A strategy on A, written o : A, is a prefiz-closed O-complete 
subset of Py. 


Suppose Il = {x1 : 01,--+,a, : &} and I + M:@ is a FICA-term. Let us 
write |I" H 6] for the arena [01] x --- x [0] = J0]. In [22] it is shown how to 
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assign a strategy on |I" H 6] to any FICA-term F H M: 6. We write [I F M] 
to refer to that strategy. For example, |I" + div] = {e, run} and |I F} skip] = 
{e,run, undone}. Given a strategy c, we denote by comp(c) the set of non- 
empty complete plays of ø, i.e. those in which all questions have been answered. 
The game-semantic interpretation |---] turns out to provide a fully abstract 
model in the following sense. 


Theorem 1 ([22]). T- Mı = Mə iff comp([L  Mi]]) = comp([L H Ma]). 


In particular, since we have comp([I’ + divg]) = 9, T F M : @ is equivalent to 
divo iff comp([ + M]) = 9. 


4 Leafy automata 


We would like to be able to represent the game semantics of FICA using automata. 
To that end, we introduce leafy automata (LA). They are a variant of automata 
over nested data, i.e. a type of automata that read finite sequences of letters of 
the form (t, dod, ---d;) (j € N), where t is a tag from a finite set X and each d; 
(0 <i<j) is a data value from an infinite set D. 

In our case, D will have the structure of a countably infinite forest and 
the sequences dg---d,; will correspond to branches of a tree. Thus, instead of 
dy---d;, we can simply write dj, because dj uniquely determines its ancestors: 
dy,...,dj;-1. The following definition captures the technical assumptions on D. 


Definition 4. D is a countably infinite set equipped with a function pred : D —> 
DU{L} (the parent function) such that the following conditions hold. 


— Infinite branching: pred~'({d,}) is infinite for any dyi € DU{L}. 
— Well-foundedness: for any d € D, there exists i € N, called the level of d, 
such that pred't*(d) = L. Level-0 data values will be called roots. 


In order to define configurations of leafy automata, we will rely on finite subtrees 
of D, whose nodes will be labelled with states. We say that T C D is a subtree of 
D iff T is closed (Vx € T: pred(x) € TU{L}) and rooted (Ala € T: pred(x) = L). 
Next we give the formal definition of a level-k leafy automaton. Its set of 
states Q will be divided into layers, written Q™ (0 < i < k), which will be used 
to label level-i nodes. We will write Q%*"*) to abbreviate Q™) x --- x QM), 
excluding any components Qs) where i; < 0. We distinguish QO-) = {+}. 


Definition 5. A level-k leafy automaton (k-LA) is a tuple A = (X, k, Q, ô), 


where 


— X = Xo + Xa is a finite alphabet, partitioned into questions and answers; 

— k >Q is the level parameter; 

-Q= > Q® is a finite set of states, partitioned into sets Q™ of level-i 
states; 

— 6 = ĝo + ôa is a finite transition function, partitioned into question- and 
answer-related transitions; 
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= jg = = ae, where by C Qes) x XQ x QOL for0<i<k; 
— da = > 5), where 60 C QOA 4) x Da x Ql) for 0<i<k. 


Configurations of LA are of the form (D, E, f), where D is a finite subset of D 
(consisting of data values that have been encountered so far), E is a finite subtree 
of D, and f : E > Q is a level-preserving function, i.e. if d is a level-7 data 
value then f(d) € Q™. A leafy automaton starts from the empty configuration 
ko = (0,0,0) and proceeds according to 6, making two kinds of transitions. Each 
kind manipulates a single leaf: for questions one new leaf is added, for answers 
one leaf is removed. Let the current configuration be « = (D, E, f). 


— On reading a letter (t,d) with t € Xg and d ¢ D a fresh level-i data, the 
automaton adds a new leaf d in a configuration and updates the states on 
the branch to d. So it changes its configuration to K’ = (DU{d}, EU {d}, f^) 
provided that pred(d) € E and f’ satisfies: 


(f(pred'(d)),-- , f(pred(d)), t, f'(pred'(d)),--+ , f/(pred(d)), f'(d)) € 68, 


dom(f’) = dom(f)U{d}, and f'(x) = f(x) for all x ¢ {pred(d),---, pred’ (d)}. 

— On reading a letter (t,d) with t € Ya and d € E a level-i data which is a 
leaf, the automaton deletes d and updates the states on the branch to d. So 
it changes its configuration to K’ = (D, E \ {d}, f’) where f’ satisfies: 


(f (pred'(d)),-++ , f(pred(d)), f(d), t, f' (pred (d)), +- , f/(pred(d))) € dy?, 


dom(f’) = dom(f)\{d} and f'(x) = f(a) for all x ¢ {pred(d),--+ , pred’(d)}. 
— Jnitially D,E, and f are empty; we proceed to K’ = ({d}, {d}, {d > q}) if 


t,d) is read where EVO) € ô. The last move is treated symmetrically. 
Q 


. d i So 
In all cases, we write pe k. Note that a single transition can only change 


states on the branch ending in d. Other parts of the tree remain unchanged. 


Example 1. Below we illustrate the effect of LA transitions. Let Dı = {do, di, d4} 
and də g Dı. Let Kı = (Dı, Fi, fi), K2 = (Dı U {d2}, E2, f2), K3 = (Dı U 
{dz}, E1, f1), where the trees FE, E2 are displayed below and node annotations 
of the form (q) correspond to values of fı, fo, e.g. fi(do) = gq. 


dy(q) do (r) 
we x Pa Sy 
E, fi : di (q) dy(q) Ex, fo : di (q) dı(r®) 


On the other hand, to go from «xə to «3 (on (t, d2)), we want (r®, rf), r@), t, 
g, qd) € 62). 
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Definition 6. A trace of a leafy automaton A is a sequence w = li ---lp € 
(X x D)* such that Ky 2 ie, where ko = (0,0,0). A configuration 
k = (D, E, f) is accepting if E and f are empty. A trace w is accepted by A if 
there is a non-empty sequence of transitions as above with kp accepting. The set 
of traces (resp. accepted traces) of A is denoted by Tr(A) (resp. L(A)). 


Remark 1. When writing states, we will often use superscripts (i) to indicate the 


intended level. So (q,-- + iD) (r®, -++ 7) refers to (¢,--» ,g@-), t, 
7)... re 6): similarly for 6 transitions. For i = 0, this degenerates to 


tor and 0) st, 


Example 2. Consider the 1-LA over Xg = {start,inc}, Xa = {dec,end}. Let 


dec 


QO = {0}, Q® = {0} and define ô by: }“S0, 075(0,0), (0,0) 0, 
oS. The accepted traces of this 1-LA have the form (start, do) (||"9(inc, di) 
(dec, d’)) (end, do), i.e. they are valid histories of a single non-negative counter 
(histories such that the counter starts and ends at 0). In this case, all traces are 
simply prefixes of such words. 


Remark 2. Note that, whenever a leafy automaton reads (t, d) (t € XQ) and the 
level of d is greater than 0, then it must have read a unique question (t’, pred(d)) 
earlier. Also, observe that an LA trace contains at most two occurrences of the 
same data value, such that the first is paired with a question and the second 
is paired with an answer. Because the question and the answer share the same 
data value, we can think of the answer as answering the question, like in game 
semantics. Indeed, justification pointers from answers to questions will be rep- 
resented in this way in Theorem 3. Finally, we note that LA traces are invariant 
under tree automorphisms of D. 


Lemma 1. The emptiness problem for 2-LA is undecidable. For 1-LA, it is re- 
ducible to the reachability problem for VASS in polynomial time and there is a re- 
verse reduction in exponential time, so it is decidable in Ackermannian time [32] 
but not elementary [13]. 


Proof. For 2-LA we reduce from the halting problem on two-counter-machines. 
Two counters can be simulated using configurations of the form 


q 
a 
Cy C2 
SUN Zirmm 


* * * * * x ok 


where there are two level-1 nodes, one for each counter. The number of children 
at level 2 encodes the counter value. Zero tests can be implemented by removing 
the corresponding level-1 node and creating a new one. This is possible only 
when the node is a leaf, i.e., it does not have children at level 2. The state of the 
2-counter machine can be maintained at level 0, the states at level 1 indicate the 
name of the counter, and the level-2 states are irrelevant. 
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The translation from 1-LA to VASS is straightforward and based on repre- 
senting 1-LA configurations by the state at level 0 and, for each state at level 1, 
the count of its occurrences. The reverse translation is based on the same idea 
and extends the encoding of a non-negative counter in Example 2, where the 
exponential blow up is simply due to the fact that vector updates in VASS are 
given in binary whereas 1-LA transitions operate on single branches. 


Lemma 2. 1-LA equivalence is undecidable. 


Proof. We provide a direct reduction from the halting problem for 2-counter 
machines, where both counters are required to be zero initially as well as finally. 
The main obstacle is that implementing zero tests as in the proof of the first 
part of Lemma 1 is not available because we are restricted to leafy automata 
with levels 0 and 1 only. To overcome it, we exploit the power of the equivalence 
problem where one of the 1-LA will have the task not of correctly simulating 
zero tests but recognising zero tests that are incorrect. The complete argument 
can be found in the full paper [18, Appendix B]. 


5 Local leafy automata (LLA) 


Here we identify a restricted variant of LA for which the emptiness problem is 
decidable. We start with a technical definition. 


Definition 7. A k-LA is bounded at level i (O < i < k) if there is a bound b 
such that each node at level i can create at most b children during a run. We 
refer to b as the branching bound. 


Note that we are defining a “global” bound on the number of children that a 
node at level 7 may create across a whole run, rather than a “local” bound on 
the number of children a node may have in a given configuration. 

To motivate the design of LLA, we observe that the undecidability argument 
(for the emptiness problem) for 2-LA used two consecutive levels (0 and 1) that 
are not bounded. For the node at level 0, this corresponded to the number of zero 
tests, while an unbounded counter is simulated at level 1. In the following we will 
eliminate consecutive unbounded levels by introducing an alternating pattern 
of bounded and unbounded levels. Even-numbered layers (i = 0,2,...) will be 
bounded, while odd-numbered layers will be unbounded. Observe in particular 
that the root (layer 0) is bounded. As we will see later, this alternation reflects the 
term/context distinction in game semantics: the levels corresponding to terms 
are bounded, and the levels coresponding to contexts are unbounded. 

With this restriction alone, it is possible to reconstruct the undecidability 
argument for 4-LA, as two unbounded levels may still communicate. Thus we 
introduce a restriction on how many levels a transition can read and modify. 


— when adding or removing a leaf at an odd level 2i + 1, the automaton will 
be able to access levels 2i, 22 — 1 and 2i — 2; while 
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— when adding or removing a leaf at an even level 27, the automaton will be 
able to access levels 2i — 1 and 2i — 2. 


In particular, when an odd level produces a leaf, it will not be able to see the 
previous odd level. The above constraints mean that the transition functions 
6) 5 can be presented i ise fi i bel 

Q o ÔQ presented in a more concise form, given below. 


500 Qe2-D x Bg x QE 2-1) if 7 is even 
Q S (i—=3,i—2,i—1) (i—3,i—2,i—1,i) seg 

Q x Ve x Q if 2 is odd 
sere QU-24-LY x Dy x QÜ) if į is even 
A 5 |) QG-3i-24-LD x Dy x QU-3:1-24-D ifi is odd 


In terms of the previous notation used for LA, (q°~?),q@-), x, r672, r69, 
r) e by denotes all tuples of the form (g, q@~?), q@-), a, g, r672, r69, r®), 
where ¢ ranges over Q #8), 


Definition 8. A level-k local leafy automaton (k-LLA) is a k-LA whose transi- 
tion function admits the above-mentioned presentation and which is bounded at 
all even levels. 


Theorem 2. The emptiness problem for LLA is decidable. 


Proof (Sketch). Let b be a bound on the number of children created by each 
even node during a run. 

The critical observation is that, once a node d at even level 2i has been 
created, all subsequent actions of descendants of d access (read and/or write) 
the states at levels 2i—1 and 2i — 2 at most 2b times. The shape of the transition 
function dictates that this can happen only when child nodes at level 2i + 1 are 
added or removed. In addition, the locality property ensures that the automaton 
will never access levels < 2i — 2 at the same time as node d or its descendants. 

We will make use of these facts to construct summaries for nodes on even 
levels which completely describe such a node’s lifetime, from its creation as a 
leaf until its removal, and in between performing at most 2b reads-writes of the 
parent and grandparent states. A summary is a sequence quadruples of states: 
two pairs of states of levels 2i — 2 and 2i — 1. The first pair are the states we 
expect to find on these levels, while the second are the states to which we update 
these levels. Hence a summary at level 27 is a complete record of a valid sequence 
of read-writes and stateful changes during the lifetime of a node on level 27. 

We proceed by induction and show how to calculate the complete set of 
summaries at level 27 given the complete set of summaries at level 27 + 2. We 
construct a program for deciding whether a given sequence is a summary at level 
2i. This program can be evaluated via Vector Addition Systems with States 
(VASS). Since we can finitely enumerate all candidate summaries at level 2i, 
this gives us a way to compute summaries at level 2i. Proceeding this way, we 
finally calculate summaries at level 2. At this stage, we can reduce the emptiness 
problem for the given LLA to a reachability test on a VASS. 

The complete argument is given in the full paper [18, Appendix C]. 
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Let us remark also that the problem becomes undecidable if we remove either 
boundedness restriction, or allow transitions to look one level further. 


6 From FICA to LA 


Recall from Section 3 that, to interpret base types, game semantics uses moves 
from the set 


M= M{com] U M{exp] U Myvar] U M{sem] 
= { run, done, q, read, grb, rls, ok} U { 4, write(i)|0 < i < max}. 


The game semantic interpretation of a term-in-context l} M : 0 is a strategy 
over the arena [IF 6], which is obtained through product and arrow construc- 
tions, starting from arenas corresponding to base types. As both constructions 
rely on the disjoint sum, the moves from |I" + 6] are derived from the base types 
present in types inside I’ and 6. To indicate the exact occurrence of a base type 
from which each move originates, we will annotate elements of M with a spe- 
cially crafted scheme of superscripts. Suppose I = {a1 : 61,--+ ,a : 0}. The 
superscripts will have one of the two forms, where i e N* and pEN: 


— (i, p) will be used to represent moves from 6; 
— (Lyi, p) will be used to represent moves from 0, (1 < v < l). 


The annotated moves will be written as m©?) or meri), where m € M. We 
will sometimes omit p on the understanding that this represents p = 0. Similarly, 
when 7 is omitted, the intended value is e. Thus, m stands for m9. 

The next definition explains how the 7 superscripts are linked to moves from 
[0]. Given X C {mA |] € N*, p € N} and y € NU {x,--- a7}, we let 
YX = {mlve) | mG) € X}. 


Definition 9. Given a type 0, the corresponding alphabet To is defined as follows 


Tag = {mP |me Mis P EN} 3 = com, exp, var, sem 
Ton +..+038 = U anT 


For T = {a1 : 01,-++,a1 : 0}, the alphabet Tro is defined to be Trre = 
Una1(vTa,) U To. 


Example 3. The alphabet Tf:com—com,z:comtcom is {run tP), donet”), 
run) | donet”), run®P), done”), run(®P), done’? |p EN} 


To represent the game semantics of terms-in-context, of the form [+ M: 48, 
we are going to use finite subsets of Tr-o as alphabets in leafy automata. The 
subsets will be finite, because p will be bounded. Note that 7g admits a natural 
partitioning into questions and answers, depending on whether the underlying 
move is a question or answer. 

We will represent plays using data words in which the underpinning sequence 
of tags will come from an alphabet as defined above. Superscripts and data are 
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used to represent justification pointers. Intuitively, we represent occurrences of 
questions with data values. Pointers from answers to questions just refer to these 
values. Pointers from questions use bounded indexing with the help of p. 

Initial question-moves do not have a pointer and to represent such questions 
we simply use p = 0. For non-initial questions, we rely on the tree structure 
of D and use p to indicate the ancestor of the currently read data value that 
we mean to point at. Consider a trace w(t;,d;) ending in a non-initial question, 
where d; is a level-i data value and i > 0. In our case, we will have t; € Trre, 
ie. ti = mCP). By Remark 2, trace w contains unique occurrences of questions 
(to, do), suns (tia, di—1) such that pred(d;) = aj-1 for j = 1; es yt. The pointer 
from (t;, di) goes to one of these questions, and we use p to represent the scenario 
in which the pointer goes to (tj_(14)), di-(1+)))- 

Pointers from answer-moves to question-moves are represented simply by 
using the same data value in both moves (in this case we use p = 0). 

We will also use e-tags eq (question) and ea (answer), which do not contribute 
moves to the represented play. Each eq will always be answered with ea. Note 
that the use of p, €Q, €a means that several data words may represent the same 
play (see Examples 4, 6). 


Example 4. Suppose do = pred(d1),d, = pred(dz) = pred(d4),dz = pred(ds), 
and dh = pred(d). Then the data word (run, do) (runt, d1) (runf!, d2) (run/?, dh) 
(run‘*-?), d3) (run‘%?), d) (done”, d3), which is short for (run‘*°), dg) (run), dy) 
(runt dy) (run(/2-% dS) (run(2),d3) (run(®-2), ds) (done®® , dz), represents 
the play 

run runt runt! run”! run? run” done” 

O P O O P P OQO. 


Example 5. Consider the LA A = (Q,3, X, ô), where Q = {0,1,2}, Q® = {0}, 
Q® = {0,1,2}, Q®) = {0}, Xg = {run, run’, runf!, run(2)}, Xa = {done, 
done” , donet, done”}, and ô is given by 


run 


a i250) a e wie Sa, 0,0) 
mag Anonn Geno aa aAa 


Then traces from Tr(A) represent all plays from o = [|f : com —> com, z : 
com F fa], including the play from Example 4, and L(A) represents comp(c). 


Example 6. One might wish to represent plays of ø from the previous Exam- 
ple using data values do, dı, d}, dY, d2, d} such that do = pred(d,) = pred (d1) = 
pred(d{), di = pred(d2) = pred(d), so that the play from Example 4 is rep- 
resented by (run, do) (run, d1) (runt, d2) (runt, dh) (run(*-%), di) 
(run®0, di’) (done®® , d1). Unfortunately, it is impossible to construct a 2-LA 
that would accept all representations of such plays. To achieve this, the automa- 
ton would have to make sure that the number of runfts is the same as that of 
run”s. Because the former are labelled with level-2 values and the latter with in- 
comparable level-1 values, the only point of communication (that could be used 
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for comparison) is the root. However, the root cannot accommodate unbounded 
information, while plays of ø can feature an unbounded number of runfts, which 
could well be consecutive. 


Before we state the main result linking FICA with leafy automata, we note 
some structural properties of the automata. Questions will create a leaf, and 
answers will remove a leaf. P-moves add leaves at odd levels (questions) and 
remove leaves at even levels (answers), while O-moves have the opposite effect 
at each level. Finally, when removing nodes at even levels we will not need to 
check if a node is a leaf. We call the last property even-readiness. 

Even-readiness is a consequence of the WAIT condition in the game seman- 
tics. The condition captures well-nestedness of concurrent interactions — a term 
can terminate only after subterms terminate. In the leafy automata setting, this 
is captured by the requirement that only leaf nodes can be removed, i.e. a node 
can be removed only if all of its children have been removed beforehand. It turns 
out that, for P-answers only, this property will come for free. Formally, whenever 
the automaton arrives at a configuration x = (D, E, f), where d € E and there 
is a transition 


(f (pred?) (d)),-+» , f(pred(d)), f(d), t, f (pred? (d)), +++ , f’(pred(d))) € 62, 


then d is a leaf. In contrast, our automata will not satisfy the same property 
for O-answers (the environment) and for such transitions it is crucial that the 
automaton actually checks that only leaves can be removed. 


Theorem 3. For any FICA-term I+ M : 0, there exists an even-ready leafy au- 
tomaton Am over a finite subset of Tro + {ea, ea} such that the set of plays rep- 
resented by data words from Tr(Am) is exactly [IT  M : 6]. Moreover, L(Am) 
represents comp(|[I°- M : 6]) in the same sense. 


Proof (Sketch). Because every FICA-term can be converted to 87-normal form, 
we use induction on the structure of such normal forms. The base cases are: 
D+ skip: com (Q® = {0}; +50, 022+), r H div: com (Q® = {0}; 
t{—50), and T E i: exp (QO = {0}; t40, 0—5 +t). 

The remaining cases are inductive. When referring to the inductive hypoth- 
esis for a subterm M;, we shall use subscripts 7 to refer to the automata com- 
ponents, e.g. QP, =; etc. In contrast, QU), -> will refer to the automaton 
that is being constructed. Inference lines will indicate that the transitions 
listed under the line should be added to the new automaton provided the tran- 
sitions listed above the line are present in the automaton obtained via induction 
hypothesis. We discuss a selection of technical cases below. 


T H} M,||Mz In this case we need to run the automata for Mı and Mə concur- 
rently. To this end, their level-0 states will be combined (QO = Qo x o; but 
not deeper states (Q0) = QP + Q®, 1 < j < k). The first group of transitions 
tid tq 


activate and terminate the two components respectively: i 
IVi n rmın Wi mponents resp V i (qa) 


si 


198 A. Dixon et al. 


done 


qo, qos 
u 2 The remaining transitions advance each component: 
(q, PH 
0 0 i? 0 0 0 0 0 j m 0 i! 
(40) sa) 9) MEQ PeO (Gg) rg) 
0 0 0 0 j! 0 0 j m 0 0 j 
Ca a), a EA RS ee 9 GP ere y= Ha ees I 


where m Æ run, done. 


I} newvar z :=iinM, By [22], the semantics of this term is obtained from 
the semantics of [T, x M,] by 


1. restricting to plays in which the moves read”, write(n)” are followed imme- 
diately by answers, 

2. selecting those plays in which each answer to a read”-move is consistent with 
the preceding write(n)*-move (or equal to i, if no write(n)” was made), 


3. erasing all moves related to x, e.g. those of the form m®»), 


To implement 1., we will lock the automaton after each read- or write(n)"-move, 
so that only an answer to that move can be played next. Technically, this will be 
done by adding an extra bit (lock) to the level-0 state. To deal with 2., we keep 
track of the current value of x, also at level 0. This makes it possible to ensure 
that answers to read” are consistent with the stored value and that write(n)” 
transitions cause the right change. Erasing from condition 3 is implemented by 
replacing all moves with the x subscript with eq, €a-tags. 


Accordingly, we have QO = (Q® + (QP x {lock})) x {0,--- , max} and 
QO) = QP (1 < j < k). As an example of a transition, we give the transition 


write(z)(®+P) a 
( (0) |. a) a(r, J ) 


qi r 0<n,z < mar 


related to writing: A 7 
(Cat? 10), a4? ) 9 (Cr lock, 2) sr) 


Tb fMr--- Mı: com with (f : 0, > --- > 6, + com) Here we will need 
Q = {0,1,2}, QM = {0}, Q02 = 5, QP (0 < j < k). The first group of 


runt 


transitions corresponding to calling and returning from f: t—0, 0*5(1,0), 


done? done 


(1, gs: 2—> 7. Additionally, in state (1,0) we want to enable the en- 
vironment to spawn an unbounded number of copies of each of F F Mau : Ou 
(1 < u < h). This is done through rules that embed the actions of the automata 
for Mu while (possibly) relabelling the moves in line with our convention for rep- 
resenting moves from game semantics. Such transitions have the general form 


: m(t:P) m 
(qe a? a A (a?) AA) 


: map) iv 
(Gene aN = —— Fa” ea) 


. Note that this case also covers f : com 


More details and the remaining cases are covered in the full paper [18, Ap- 
pendix D], along with an example of a term and the corresponding LA. 
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7 Local FICA 


In this section we identify a family of FICA terms that can be translated into 
LLA rather than LA. To achieve boundedness at even levels, we remove while. 
To achieve restricted communication, we will constrain the distance between a 
variable declaration and its use. Note that in the translation, the application of 
function-type variables increases LA depth. So in LFICA we will allow the link 
between the binder newvar/newsem z and each use of x to “cross” at most 
one occurrence of a free variable. For example, the following terms 


— newvar z :=0inzx:=1 || f(x := 2), 
— newvar z :=0in f(newvar yin f(y :=1) || x :=!y) 


will be allowed, but not newvar x := 0 in f(f(x :=1)). 

To define the fragment formally, given a term Q in @7-normal form, we use 
a notion of the applicative depth of a variable x : 8 (8 = var,sem) inside Q, 
written ad,(Q) and defined inductively by the table below. The applicative depth 
is increased whenever a functional identifier is applied to a term containing z. 


shape of Q ad.(Q) 
x 1 
y (y #2), skip, div, i 0 


op(M), !M, release(M), grab(M) ad,(M) 


M;N, M||N, M:=N, while MdoN ~~ max(ad,(M), ad,(N)) 

if M then N; else N2 max(ad,(M), ad,(N1), adz(N2)) 
Ay.M, newvar /newsem y :=i in M ad,,(M{z/y]), where z is fresh 
fMi- My 1+ max(ad;(M,),--- , adz(Mx)) 


Note that in our examples above, in the first two cases the applicative depth 
of x is 2; and in the third case it is 3. 


Definition 10 (Local FICA). A FICA-term [+ M : @ is local if its Bn-normal 
form does not contain any occurrences of while and, for every subterm of the 
normal form of the shape newvar /newsem z := iin N, we have ad;(N) < 2. 
We write LFICA for the set of local FICA terms. 


Theorem 4. For any LFICA-term I+ M : 0, the automaton Am obtained from 
the translation in Theorem 3 can be presented as a LLA. 


Proof (Sketch). We argue by induction that the constructions from Theorem 3 
preserve presentability as a LLA. 

The case of parallel composition involves running copies of Mı and Mə in 
parallel without communication, with their root states stored as a pair at level 0. 
Note, though, that each of the automata transitions independently of the state 
of the other automaton. In consequence, if the automata M and Mə are LLA, so 


5 The automaton for while M do N may repeatedly visit the automata for M and N, 
generating an unbounded number of children at level 0 in the process. 
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will be the automaton for Mı||M2. The branching bound after the construction 
is the sum of the two bounds for Mı and Mo. 

For I’ newvar x:=iin M, because the term is in LFICA, so is Ia: var H 
M and we have ad,(M) < 2. Then we observe that in the translation of Theo- 
rem 3 (Ia: var + M : 6) the questions related to x, (namely write(i)(*?) and 
read? )) correspond to creating leaves at levels 1 or 3, while the corresponding 
answers (ok? ) and i() respectively) correspond to removing such leaves. In 
the construction for + newvar x in M, such transitions need access to the root 
(to read/update the current state) and the root is indeed within the allowable 
range: in an LLA transitions creating/destroying leaves at level 3 can read/write 
at level 0. All other transitions (not labelled by x) proceed as in M and need 
not consult the root for additional information about the current state, as it 
is propagated. Consequently, if M is represented by a LLA then the interpreta- 
tion of newvar x:=7in M is also a LLA. The construction does not affect the 
branching bound, because the resultant runs can be viewed as a subset of runs 
of the automaton for M, i.e. those in which reads and writes are related. 

For fM;,,---My, we observe that the construction first creates two nodes at 
levels 0 and 1, and the node at level 1 is used to run an unbounded number of 
copies of (the automaton for) M;. The copies do not need access to the states 
stored at levels 0 and 1, because they are never modified when the copies are 
running. Consequently, if each M; can be translated into a LLA, the outcome 
of the construction in Theorem 3 is also a LLA. The new branching bound is 
the maximum over bounds from M1,- , Mp, because at even levels children are 
produced as in M; and level 0 produces only 1 child. 


Corollary 1. For any LFICA-term [I į M :0, the problem of determining 
whether comp([I° + M]) is empty is decidable. 


Theorems 1 and 2 imply the above. Thanks to Theorem 1, it is decidable if 
a LFICA term is equivalent to a term that always diverges (cf. example on 
page 187). In case of inequivalence, our results could also be applied to ex- 
tract the distinguishing context, first by extracting the witnessing trace from 
the argument underpinning Theorem 2 and then feeding it to the Definabil- 
ity Theorem (Theorem 41 [22]). This is a valuable property given that in the 
concurrent setting bugs are difficult to replicate. 


8 From LA to FICA 


In this section, we show how to represent leafy automata in FICA. Let A = 
(X, k,Q, ð) be a leafy automaton. We shall assume that X, Q C {0,--- , max} so 
that we can encode the alphabet and states using type exp. We will represent 
a trace w generated by A by a play play(w), which simulates each transition 
with two moves, by O and P respectively. The child-parent links in D will be 
represented by justification pointers. We refer the reader to [18, Appendix F] for 
details. Below we just state the lemma that identifies the types that correspond 
to our encoding, where we write 6+! — 8 for 9 >--- —> 0 > B. 


mart+l 
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Lemma 3. Let A be a k-LA and w € Tr(A). Then play(w) is a play in [Ox], 
where 09 = com™***1 — exp and 0:41 = (0; > com)™**t! — exp (i > 0). 


Before we state the main result, we recall from [22] that strategies corresponding 
to FICA terms satisfy a closure condition known as saturation: swapping two 
adjacent moves in a play belonging to such a strategy yields another play from 
the same strategy, as long as the swap yields a play and it is not the case that 
the first move is by O and the second one by P. Thus, saturated strategies 
express causal dependencies of P-moves on O-moves. Consequently, one cannot 
expect to find a FICA-term such that the corresponding strategy is the smallest 
strategy containing { play(w) |w € Tr(A) }. Instead, the best one can aim for is 
the following result. 


Theorem 5. Given a k-LA A, there exists a FICA term F My: 0% such that 
|- Ma : Oy] is the smallest saturated strategy containing { play(w)|w € Tr(A) }. 


Proof (Sketch). Our assumption Q C {0,---, maz} allows us to maintain A- 
states in the memory of FICA-terms. To achieve k-fold nesting, we use the higher- 
order structure of the term: Af .fO (AFM. fO Af). fQ(..- Af. f))). In 
fact, instead of the single variables f“, we shall use sequences f© rey Oa, so 
that a question i) read by A at level į can be simulated by using variable 
fe (using our assumption X C {0,--- , maz}). Additionally, the term contains 


state-manipulating code that enables moves only if they are consistent with the 
transition function of A. 


9 Conclusion and further work 


We have introduced leafy automata, LA, and shown that they correspond to the 
game semantics of Finitary Idealized Concurrent Algol (FICA). The automata 
formulation makes combinatorial challenges posed by the equivalence problem 
explicit. This is exemplified by a very transparent undecidability proof of the 
emptiness problem for LA. Our hope is that LA will allow to discover interesting 
fragments of FICA for which some variant of the equivalence problem is decid- 
able. We have identified one such instance, namely local leafy automata (LLA), 
and a fragment of FICA that can be translated to them. The decidability of the 
emptiness problem for LLA implies decidability of a simple instance of the equiv- 
alence problem. This in turn allows to decide some verification questions as in 
the example on page 187. Since these types of questions involve quantification 
over all contexts, the use of a fully-abstract semantics appears essential to solve 
them. 

The obvious line of future work is to find some other subclasses of LA with 
decidable emptiness problem. Another interesting target is to find an automaton 
model for the call-by-value setting, where answers enable questions [2,25]. It 
would also be worth comparing our results with abstract machines [19], the 
Geometry of Interaction [31], and the z-calculus [6]. 
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Abstract. In each variant of the A-calculus, factorization and normal- 
ization are two key properties that show how results are computed. 
Instead of proving factorization/normalization for the call-by-name (CbN) 
and call-by-value (CbV) variants separately, we prove them only once, 
for the bang calculus (an extension of the A-calculus inspired by linear 
logic and subsuming CbN and CbV), and then we transfer the result via 
translations, obtaining factorization/normalization for CbN and CbV. 
The approach is robust: it still holds when extending the calculi with op- 
erators and extra rules to model some additional computational features. 


1 Introduction 


The A-calculus is the model of computation underlying functional programming 
languages and proof assistants. Actually there are many )-calculi, depending on 
the evaluation mechanism (for instance, call-by-name and call-by-value—CbN 
and CbV for short) and computational features that the calculus aims to model. 

In A-calculi, a rewriting relation formalizes computational steps in program 
execution, and normal forms are the results of computations. In each calculus, 
a key question is to define a normalizing strategy: How to compute a result? Is 
there a reduction strategy which is guaranteed to output a result, if any exists? 

Proving that a calculus admits a normalizing strategy is complex, and many 
techniques have been developed. A well-known method first proves factorization 
[4,32,19,2]. Given a calculus with a rewriting relation >, a strategy >> C— 


factorizes if +* C>*--=>* (=> is the dual of =>), i.e. any reduction sequence can 


be rearranged so as to perform ->-steps first and then the other steps. If, moreover, 


the strategy satisfies some “good properties”, we can conclude that the strategy 
is normalizing. Factorization is important also because it is commonly used as 
a building block in the proof of other properties of the how-to-compute kind. 
For instance, standardization, which generalizes factorization: every reduction 
sequences can be rearranged according to a predefined order between redexes. 


Two for One. CbN and CbV »-calculi are two distinct rewriting systems. Quoting 
from Levy [20]: the existence of two separate paradigms (CbN and CbV) is trou- 
bling because to prove a certain property—such as factorization or normalization— 
for both systems we always need to do it twice. 


© The Author(s) 2021 
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The first aim of our paper is to develop a technique for deriving factorization 
for both the CbN [4] and CbV [27] A-calculi as corollaries of a single factorization 
theorem, and similarly for normalization. A key tool in our study is the bang 
calculus [11,15], a calculus inspired by linear logic in which CbN and CbV embed. 


The Bang Calculus. The bang calculus is a variant of the A-calculus where an 
operator ! plays the role of a marker for non-linear management: duplicability and 
discardability of resources. The bang calculus is nothing but Simpson’s linear À- 
calculus [31] without linear abstraction, or the untyped version of the implicative 
fragment of Levy’s Call-by-Push-Value [20], as first observed by Ehrhard [10]. 

The motivation to study the bang calculus is to have a general framework 
where both CbN and CbV A-calculi can be simulated, via two distinct translations 
inspired by Girard’s embeddings [14] of the intuitionistic arrow into linear logic. 
So, a certain property can be studied in the bang calculus and then automatically 
transferred to the CbN and CbV settings by translating back. 

This approach has so far mainly be exploited semantically [21,10,11,15,9,7], 
but can be used it also to study operational properties [15,30,13]. In this paper, 
we push forward this operational direction. 


The Least-Level Strategy. We study a strategy from the literature of linear logic 
[8], namely least-level reduction +, which fires a redex at minimal level—the 


level of a redex is the number of ! under which the redex occurs. 

We prove that the least-level reduction factorizes and normalizes in the bang 
calculus, and then we transfer the same results to CbN and CbV A-calculi (for 
suitable definitions of least-level in CbN and CbV), by exploiting properties of 
their translations into the bang calculus. A single proof suffices. It is two-for-one! 
Or even better, three-for-one. 

The rewriting study of the least level strategy in the bang calculus is based 
on simple techniques for factorization and normalization we developed recently 
with Accattoli [2], which simplify and generalize Takahashi’s method [32]. 


Subtleties of the Embeddings. Transferring factorization and normalization results 
via translation is highly non-trivial, e.g. in CPS translations [27]. This applies 
also to transferring least-level factorization from the bang calculus to the CbN 
and CbV A-calculi. To transfer the property smoothly, the translations should 
preserve levels and normal forms, which is delicate, in particular for CbV. For 
instance, the embedding of CbV into the bang calculus defined in [15,30] does not 
preserve levels and normal forms. As a consequence, the CbV translation studied 
in [15,30] cannot be used to derive least-level factorization or any normalization 
result in a CbV setting from the corresponding result in the bang calculus. 

Here we adopt the refined CbV embedding of Bucciarelli et al. [7], which 
does preserve levels and normal forms. While the preservation of normal forms is 
already stressed in [7], the preservation of levels is proved here for the first time, 
and it is based on non-trivial properties of the embedding. 
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Beyond pure. Our second aim is to show that the developed technique for the 
joined factorization and normalization of CbN and CbV via the bang calculus 
is robust. We do so, by studying extensions of all three calculi with operators 
(or, in general, with extra rules) which model some additional computational 
features, such as non-deterministic or probabilistic choice. We then show that 
the technique scales up smoothly, under mild assumptions on the extension. 


A Motivating Example. Let us illustrate our approach on a simple case, which we 
will use as a running example. De’ Liguoro and Piperno’s CbN non-deterministic 
A-calculus Ag?" [23] extends the CbN )-calculus with an operator © whose 
reduction +g models non-deterministic choice: t ® s rewrites to either t or 
s. It admits a standardization result, from which it follows that the leftmost- 
outermost reduction strategy (noted -3gẹ) is complete: if t has a normal form u 


cbv 


then t =3sq* u. In [22], de’ Liguoro considers also a CbV variant AZ”, extending 


Plotkin CbV A-calculus [27] with an operator ©. One may prove standardization 
and completeness—again—from scratch, even though the proofs are similar. 
The approach we propose here is to work in the bang calculus enriched with 
the operator @. We show that the calculus satisfies least-level factorization, from 
which it follows that the least-level strategy (noted +4,@) is complete, i.e. if 


* 


t has a normal form u, then t >p,“ u. The translation then guarantees that 


analogous results hold also in AQ” and AS’, without proving them again. 


The Importance of Being Modular. The bang calculus with operators is actually a 
general formalism for several calculi, one calculus for each kind of computational 
feature modeled by operators. Concretely, the reduction — consists of +, (which 
subsumes CbN +, and CbV —,,) and other reduction rules >,. 

We decompose the proof of factorization of + in modules, by using the 
modular approach we recently introduced together with Accattoli [3]. 

The key module is the least-level factorization of —>g,, because it is where the 
higher-order comes into play—this is done, once and for all. Then, we consider 
a generic reduction rule —, to add to —,,. Our general result is that if +, has 
“good properties” and interacts well with + ,, (which amounts to an easy test, 
combinatorial in nature), then we have least-level factorization for +,,U —p. 

Putting all together, when —, is instantiated to a concrete reduction (such 
as 4), the user of our method only has to verify a simple test (namely Proposi- 
tion 34), to conclude that +g, U —, has least-level factorization. In particular, 
factorization for —,, is a ready-to-use black box the user need not to worry 
about—our proof is robust enough to hold whatever the other rules are. Finally, 
the embeddings automatically give least-level factorization for the corresponding 
CbV and CbN calculi. Section 7 illustrates our method in the case => = >ẹ. 


Subtleties of the Modular Extensions. To adopt the modular approach for factor- 
ization presented in [3], we have to face an important difficulty that arises when 
dealing with normalizing strategies, and which is not studied in [3]. 
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A normalizing strategy cannot overlook redexes and it usually selects the 
redex r to fire through a property that r minimizes with respect to the redexes in 
the whole term, such as being a least level redex or being the leftmost-outermost 
(shortened to LO) redex—normalizing strategies are positional. The problem is 
that, in general, if + =—g U >p, then -3 reduction is not the union of 7g and 


Zp: the normalizing strategy of the compound system is not obtained putting 


together the normalizing strategies of the components. Let us explain the issue on 
our running example gq, in the familiar case of leftmost-outermost reduction. 


Example 1. Consider head reductions for +g and for +gg =—+g U +@, noted 
-pe and -pge respectively. In the term s = (II)(«@y) where | = Az.x, the subterm 


Il (a 8-redex) is in head position for both the reduction +, and its extension 
—p@- So, s +> I(x © y) and s +e I(x ® y). And in the term t = (x ®y)(II), the 


head position is occupied by x ® y, which is a @-redex. Therefore, Il is not the 
head redex in t, neither for 6 nor for G@. In general, PLE = Fe U RE 


In contrast, for leftmost-outermost reduction -3gẹ, which reduces the LO- 
redex, we have -25e # 72s U rge. Consider again the term t = (x © y) (ll). Since 


xy is not a p-redex, Il is the LO-redex for +. Instead, Il is not the LO-redex 
for gq (here the Lo-redex is x ® y). So, t 2 (x ® y)l but t Bag (x © y)l. 


The least-level factorization for + g,, +g, and —>g, we prove here is robust 
enough to make it ready to be used as a module in a larger proof, where it may 
combine with operators and other rules. The key point is to define the least-level 
reduction from the very beginning as a reduction firing a redex at minimal level 
with respect to a general set of redexes (including (4, 8 or By, respectively), so 
that it is “ready” to be extended with other reduction rules (see Section 4). 


Proofs. All proofs are available in [12], the long version of this paper. 


2 Background in Abstract Rewriting 


An (abstract) rewriting system, [33, Ch. 1] is a pair (A, —) consisting of a set 
A and a binary relation + C A x A (called reduction) whose pairs are written 
t > s and called steps. A —--sequence from t is a sequence of —-steps. As usual, 
—* (resp. +=) denotes the transitive-reflexive (resp. reflexive) closure of +. We 
say that u is >-normal (or a --normal form) if there is no t such that u > t. 
In general, a term may or may not reduce to a normal form. If it does, not 
all reduction sequences necessarily lead to normal form. A term is weakly or 
strongly normalizing, depending on if it may or must reduce to normal form. More 
precisely, a term t is strongly —> -normalizing if every maximal —-sequence from t 
ends in a +-normal form: any choice of +-steps will eventually lead to a normal 
form. A term t is weakly +-normalizing if t >* u for some u —>-normal. If t is 
weakly but not strongly normalizing, how do we compute a normal form? This 
is the problem tackled by normalization: by repeatedly performing only specific 
steps, a normal form is eventually reached, provided that t can —-reduce to any. 
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Definition 2 (Normalizing and complete strategy). A reduction -> C —> 
is a strategy for —> if it has the same normal forms as —>. A strategy -> for — is: 


— complete if t ->* u whenever t >* u with u —-normal; 


— normalizing if every weakly +-normalizing term is strongly —-normalizing. 


Note that if the strategy -> is complete and deterministic (i.e. for every t € A, 
t -> s for at most one s € A), then - is a normalizing strategy for >. 


Informally, a strategy for — is a way to control the fact that in a term there 
are different possible choices of a >-step. A normalizing strategy for > is a 
strategy that is guaranteed to reach a —-normal form, if it exists, from any term. 
This provides a useful tool to show that a term is not weakly —--normalizing. 


Proving Normalization. Factorization means that any —-sequence from a 
term to another can be rearranged by performing a certain kind of steps first. It 
provides a simple technique to establish that a strategy is normalizing. 
Definition 3 (Factorization). Let (A,—>) be a rewriting system with > = -> 
U=. The relation — satisfies e-factorization, written Fact(->, =>) if 


Faction) (ely a a (Factorization) 


i — e i 


Lemma 4 (Normalization [2]). Let > =-3 U =3, and-> be a strategy for >. 


The strategy -> is complete for > if the following conditions hold: 


1. (persistence) if t => t then t is not +-normal; 


2. (factorization) t >* u implies t >*-=3* u. 
The strategy -> is normalizing for —> if it is complete and the following holds: 
3. (uniformity) every weakly —-normalizing term is strongly ->-normalizing. 
A sufficient condition for uniformity (and confluence) is the quasi-diamond. 
Property 5 (Newman [25]) Zf a reduction + is quasi-diamond (i.e. str 


implies s =r ors—+u<r for some u), then > is uniform and confluent (i.e. 
s*4— r —* t implies s >* u*< t for some u). 


Proving Factorization. Hindley [17] first noted that a local property implies 
factorization. Let + = -> U > We say that = strongly postpones after -> if 


SP(->,—>): >> C 2o (Strong Postponement) 


i i e e i 


Lemma 6 (Hindley [17]). SP(->, ~>) implies Fact(,—>). 
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Strong postponement can rarely be used directly, because several interesting 
reductions—including (6-reduction—do not satisfy it. However, it is at the heart 
of Takahashi’s method [32] to prove head factorization of +g, via the following 
immediate property that can also be used to prove other factorizations (see [2]). 


Property 7 (Characterization of factorization) We have Fact(->,—>) if 
and only if there is a reduction a such that =" and SP(->, 9). 


The core of Takahashi’s method [32] to prove head factorization in the A- 
calculus is to introduce a relation > called internal parallel reduction, which 


verifies the conditions of Property 7. We will follow a similar path in Section 6.1, 
to prove least-level factorization in the bang calculus. 


Compound systems: proving factorization in a modular way. In this pa- 
per, we will consider compound rewriting systems that are obtained by extending 
the A-calculus with extra rules to model advanced computational features. 

In an abstract setting, let us consider a rewrite system (A, +) where + = —>¢ 
U —,. Under which condition —> admits factorization, assuming that both —-¢ 
and —, do? To deal with this question, a technique for proving factorization for 
compound systems in a modular way has been introduced in [3]. The approach can 
be seen as an analogous for factorization of the classical technique for confluence 
based on Hindley-Rosen lemma [4]: if —>¢, >p are e-factorizing reductions, their 
union —¢ U —, also is, provided that two local conditions of commutation hold. 


ep 


Lemma 8 (Modular factorization [3]). Let =>; =-pę U pe and >p =? 
=e U p and > :=—% U >p- The 


U =p be e-factorizing relations. Let 


reduction —>¢ U + fulfills factorization Fact(>, =>) if the following swaps hold: 


(Linear Swaps) 


sep Sp te and ap Be SBE S>) 


The subtlety here is to set ->¢ and ->p so that -> = ->¢ U p. As already shown 


in Example 1, when dealing with normalizing strategies one needs extra care. 


3 A-calculi: CbN, CbV, and bang 


We present here a generic syntax for A-calculi, possibly containing operators. All 
the variants of the A-calculus we shall study use this language. We assume some 
familiarity with the A-calculus, and refer to [4,18] for details. 

Given a countable set Var of variables, denoted by x,y, z,..., terms and values 
(whose sets are denoted by Ao and Val, respectively) are defined as follows: 


t,s,r == v |ts | o(t1,..., tk) Terms: Ao v = x | Ax.t Values: Val 


where o ranges over a set O of function symbols called operators, each one with 
its own arity k € N. If the operators are 01,...,On, the set of terms is indicated 
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as Ao,...o,,- When the set O of operators is empty, the calculus is called pure, and 
the sets of terms is denoted by A; otherwise, the calculus is applied. 

Terms are identified up to renaming of bound variables, where abstraction is 
the only binder. We denote by t{s/x} the capture-avoiding substitution of s for 
the free occurrences of x in t. Contexts (with exactly one hole (-)) are generated 
by the grammar below, and c(t) stands for the term obtained from the context c 
by replacing the hole with the term t (possibly capturing free variables). 


c = (-) | te | ct | Ac | o(t,...,¢,..., tk) Contexts: C 


A rule p is a binary relation on Ao; we also call it p-rule and denote it by 
p, writing t œ, t rather than (t,t’) € p. The p-reduction —, is the contextual 
closure of p. Explicitly, t >, t’ holds if t = e(r) and t’ = c(r’) for some context c 
with r+, r’; the term r is called a p-redex. The set of p-redexes is denoted by Rp. 

Given a set of rules Rules, the relation + = U, —p (for p € Rules) can 
equivalently be defined as the contextual closure of + =U pte: 


3.1 Call-by-Name and Call-by- Value A-calculi 


Pure CbN and Pure CbV A-calculi. The pure call-by-name (CDN for short) à- 
calculus [4,18] is (A,—+,), the set of terms A together with the 6-reduction >g, 
defined as the contextual closure of the usual 8-rule, which we recall in (1) below. 

The pure call-by-value (CbV for short) \-calculus [27] is the set A endowed 
with the reduction —>g,, defined as the contextual closure of the §,-rule in (2). 


CbN: (Ax.t)s Hg t{s/x} (1) CbV: (Az.t)u H+, t{v/x} with ve Val (2) 


CbN and CbV -calculi A CbN (resp. CbV) A-calculus is the set of terms 
endowed with a reduction + which extends +, (resp. >p, ). 

In particular, the applied setting with operators (when O 4 Ø) models in the 
A-calculus richer computational features, allowing o-reductions as the contextual 
closure of o-rules of the form o(t1,...,th) o S. 


Example 9 (Non-deterministic -calculi). Let O = {9} where © is a binary 
operator; let + be the contextual closure of the (non-deterministic) rule below: 


@(tı;,t2) > tı and (tte) 46 t2. 


The non-deterministic CbN A-calculus A” = (Ae, >se) is the set Ag 


with the reduction >gg = >g U >@. The non-deterministic Cb V A-calculus 
ASY = (Ag, 4,@) is the set Ag with the reduction 43,6 = >p, U >ẹ. 


3.2 Bang calculi 


The bang calculus [11,15] is a variant of the \-calculus inspired by linear logic. 
An operator ! plays the role of a marker for duplicability and discardability. Here 
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we allow also the presence of operators other than !, ranging over a set O. So, 
terms and contexts of the bang calculus (denoted by capital letters) are: 


T,S,R:=2|dAx.T|TS|!T | o(%,..., Tr) Terms: Aro 
C ::= (-) | Av.C|TC| CT |!C | o(T1,...,C,..., Tk) Contests: Cı 


Terms of the form !T are called boxes and their set is denoted by lio. When 
there are no operators other than ! (i.e. O = Ø), the set of terms and the set of 
boxes are denoted by A; and !A1, respectively. This syntax can be expressed in 
the one at the beginning of Section 3, where ! is an unary operator called bang. 


The pure bang calculus. The pure bang calculus (A), —,,) is the set of terms A) 
endowed with reduction —,,, the closure under contexts in C; of the /-rule: 


(Ax.T) 18 >, T{S/a} (3) 


Intuitively, in the bang calculus the bang-operator ! marks the only terms 
that can be erased and duplicated. Indeed, a 8-like redex (Ax.T)S can be fired 
by ++, only when its argument S' is a box, i.e. S =!R: if it is so, the content R 
of the box $ (and not S$ itself) replaces any free occurrence of x in T.’ 

A proof of confluence of -reduction —g, is in [15]. 


Notation 10 We use the following notations to denote some notable terms. 
b= AnA Ò= ATTE T:= Agla A= Argo 


Remark 11 (Notable terms). The term I = Az.!x plays the role of the identity 
in the bang calculus: I !T >g, !(«{T/x}) = !T for any term T. Instead, the term 
l = Ax.x, when applied to a box !T', opens the box, i.e. returns its content T: 
L!T >g, x{T/x} =T. Finally, A!A +, A!A >g, ... is a diverging term. 


A bang calculus. A bang calculus (Aio, >) is the set Ajo of terms endowed with 
a reduction —> which extends —g,. In this paper we shall consider calculi where 
— contains 3, and o-reductions —>o (o € O) defined from o-rules of the form 
o(Ti,..., Tk) =o S, and possibly other rules. So, += U, >p (for p € Rules), 
with Rules 2 {!8,0 | o € O}. We set >o = oco ~o- 


3.3 CbN and CbV translations into the bang calculus 


Our motivation to study the bang calculus is to have a general framework 
where both CbN [4] and CbV [27] A-calculi can be embedded, via two distinct 
translations. Here we show how these translations work. We extend the simulation 
results in [15,30,7] for the pure case to the case with operators (Proposition 13). 

Following [7], the CbV translation defined here differs from [15,30] in the 
application case. Section 5 will show why this optimization is crucial. 

CON and CbV translations are two maps (-)": Ao > Ao and (-)¥: Ao > Ajo, 
respectively, translating terms of the A-calculus into terms of the bang calculus: 


3 Syntax and reduction rule of the bang calculus follow [15], which is slightly different 
from [11]. Unlike [15] (but akin to [30,16]), here we do not use ų¿ (aka der) as a 
primitive, since ų¿ and its associated rule +44 can be simulated, see Remark 11 and (4). 
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r= (ATO SAri (o(t1,.--,tk))" = o(tf,...,¢2) (ts) =t !s"; 


V a | 
ale Cea =AL) (olti... tp) = ol...) (ts) = P ae 
(Lt’)s” otherwise. 
Example 12. Consider the A-term w := 606: then, 6° = A, ð = !A and w" = 
A!A =w" (ô and A are defined in Notation 10). The A-term w is diverging in 
CbN and CbV 2-calculi, and so is w” = w” in the bang calculus, see Remark 11. 


For any term t € Ao, t" and t“ are just different decorations of t by means of 
the bang-operator ! (recall that 1. = \x.x). The translation (-)" puts the argument 
of any application into a box: in CbN any term is duplicable or discardable. On 
the other hand, only values (i.e. abstractions and variables) are translated by 
(-)“ into boxes, as they are the only terms duplicable or discardable in CbV. 

As in [15,30], we prove that the CbN translation (-)" (resp. CbV translation 
(-)”) from the pure CbN (resp. CbV) A-calculus into the bang calculus is sound 
and complete: it maps 3-reductions (resp. 3,-reductions) of the A-calculus into 61- 
reductions of the bang calculus, and conversely -reductions — when restricted to 
the image of the translation — into 6-reductions (resp. 3,-reductions). The same 
holds if we consider any o-reduction for operators, where we assume that the o-rule 
commutes with the translations: if o(t1,..., tk) >o s then o(t?,...,t2) Fo S°, 
and if o(t?,...,t2) +o S then o(t),...,t,) Ho s with s” = S; similarly for (-)’. 

In the simulation, +g denotes the contextual closure of the rule: 


WIT aT (this is nothing but (Ar.x)!T >g}, T) (4) 
Clearly, +4 C >g, (Remark 11). We write T >a S if T =>} S and S is d-normal. 
Proposition 13 (Simulation of CbN and CbV). Lette Ao ando€ O. 


1. CbN soundness: If t +, t' then t" +, t". Ift ot! then t >o t". 
CbN completeness: If t" +,, S then S =t" andt—+,t’, for some t € Ao. 
Ift 3, S then S = t" and t —>o t', for some t € Ao. 

2. CbV soundness: If t >g, t' then t >p, >7 t“ with t“ d-normal. Ift —o t 
then tY +55 t“ with t” d-normal. 
CbV completeness: If t + —>a S then © 4,37 S with S = t™ and 
tz, t', for some t € Ao. If t’ oa S then tY 3.37 S with S = t™ and 
toot’, for some t € Ao. 


Example 14. Let t = (Az.z)x y and t= zy. So t 4, t with t" = (Az.z)!z ly >g, 
x!y = t"; and t >g, t with t = (e((Az.!z)!2))!y 4, (elz)!ly >a zly =t. 


4 The least-level strategy 


The bang calculus A; has a natural normalizing strategy, derived from linear logic 
[8], namely the least-level reduction. It reduces only redexes at least level, where 
the level of a redex R in a term T is the number of bangs ! in which R is nested. 
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Least-level reduction is easily extended to a general bang calculus (Ajo, >). 
The level of a redex R is then the number of bangs ! and operators o in which R 
is nested; intuitively, least-level reduction fires a redex which is minimally nested. 

Below, we formalize the reduction in a way that is independent of the specific 
shape of the redexes, and even of specific definition of level one chooses. The 
interest of least-level reduction is in the properties it satisfies. All our developments 
will rely on such properties, rather than the specific definition of least level. 

In this section, + = U, >p for p € Rules (for a generic set of rules Rules). We 
write R = U, Rp (again, with p € Rules) for the set of all redexes. 


4.1 Least-level reduction in bang calculi 


The level of a redex occurrence R in a term T is a measure of its depth. Formally, 
we indicate the occurrence of a subterm R in T with the context C such that 
C(R) =T. Its level is then the level (C) € N of the hole in C. The definition of 
level for contexts in a bang calculus 4o is formalized as follows. 


l))=0 errC)=e&C) ACT)=4C) UTC) =C) 


UIC) =C)+1  Kol..,C,...)) =C) +1 (5) 


Note that the level increases by 1 in the scope of !, and of any operator o € O. 
A reduction step T —, S is at level k if it fires a p-redex at level k € N; it is 
least-level if it reduces a redex whose level is minimal. 
The least level €¢(T) of a term T expresses the minimal level of any redex 
occurrences in T; if no redex is in T, we set ¢¢(T) = oo. Formally: 


Definition 15 (Least-level reduction). Let >= U, >p (for p € Rules) and 
R =U, Rp the set of redexes. Given a function L(-) from contexts to N: 
— The least level of a term T is defined as* 


U(T) := inf{€(C) | T = C(R) for some RE R} eE (NU {co}). (6) 


— A p-reduction step T —, S is: 
1. at level k, noted T >p:k S, if T =C(R), S = C(R'), 
2. least-level, noted T >, S, if T >p: S and k = U(T 
). 


3. internal, noted T ->p S, if T 4px S and k > U(T 
— Least-level reduction is -> = U, 7p (for p € Rules). 


Rw, R', (C) =k; 
); 


— Internal reduction is -> = U, = p (for p € Rules). 


Note that + = ->U = and that our definitions solve the issue of Example 1. 


Indeed, the definition of least level (T) of a term, and hence the definition of 
7p, depend on the whole set R = J, Rp of redexes associated with =.’ 


* Recall that inf Ø = oo, when @ is seen as the empty subset of N with the usual order. 
5 We should write 00p(T'), Lr and ip, but we avoid it for the sake of readability. 
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Normal Forms. It is immediate that -> G — is a strategy for +. Indeed, -> and 
— have the same normal forms because -> C —> and if a term has a —-redex, it 


has a redex at least-level, i.e. it has a —-redex. 


Remark 16 (Least level of normal forms). Note that ¢¢(T) = œ if and only if T 
is +-normal, because (C) € N for all contexts C. 


A good least-level reduction. The beauty of least-level reduction for the bang 
calculus, is that it satisfies some elegant properties, which allow for neat proofs, 
in particular monotonicity and internal invariance (in Definition 17). The devel- 
opments in the rest of the paper rely on such properties, and in fact will apply 
to any calculus whose reduction — has the properties described below. 


Definition 17 (Good least-level). A reduction > has a good least-level if: 


1. (monotonicity) T > S implies (T) < £0(S); and 
2. (internal invariance) T -> S implies (T) = U(S). 


Point 1 states that no step can decrease the least level of a term. Point 2 says 
that internal steps cannot change the least level of a term. Therefore, only least- 
level steps may increase the least level. Together, they imply persistence: only 
least-level steps can approach normal forms. 


Property 18 (Persistence) If — has a good least-level, then T -> S implies 
that S is not +-normal. 


Reduction —,, in the pure bang calculus (A),—+g,) has a good least-level. 
More in general, the same holds when extending the reduction with operators. 


Proposition 19 (Good least-level of bang calculi). Given Alo, let >= 
>s, U >o, where each o € O has a redex of shape o(Pi,..., Px). The reduction 
— has a good least-level. 


4.2 Least-level for a bang calculus: examples. 


Let us see more closely the least-level reduction for a bang calculus (A1o, >). 
For concreteness, we consider Rules = {1,0 | o € O}, hence the set of redexes is 
R = Rg, U Ro, where Ro is the set of terms o(T4,..., Tk) for any o € O. 

We observe that the least level ¢¢(T) of a term T € Ao can be easily defined 
in a direct way, by induction on T: 


— €(T)=0if TER=Rz, URo, 
— otherwise, ¢¢(x) = oo and 


U(Az.T) =00(T) (IT) =UT)+1 €0(T'S) = min{£e(T), £¢(S)}. 


Example 20 (Least level of a term). Let R € Rg. If To := R!R, then 4l(To) = 0. 
If T; := x !R then (T1) = 1. If Ty = o(z, y)!R then (Tz) = 0, as o(z, y) E€ Ro. 
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Intuitively, least-level reduction fires a redex that is minimally nested, where 
a redex is any subterm whose form is in R = Rg, U Ro. Note that least-level 
reduction can choose to fire one among possibly several redexes at minimal level. 


Example 21. Let us revisit Example 20 with R = ulz € Rg, (so Rtg, z, see 
Remark 11). Then Tı = 2!R >, x!z but To := R!IR pp, R!z and Th = 


o(z,y)!R £s, 0(x,y)!z. Also, o(x, R) £p, o(x,z) although o(x, R) >p, o(x, z). 


Let S = ı !(z!z) (so S g, z!z). In (Az.5)!S, two least-level steps are possible 
(the fired -redex is underlined): (Az.S)!S ->8, (S'S), and (Az.S)!S >p, 


(Az.z!z)IS. But (Az.S)1S Ae, (Az.S)!(z!z) although (Az.S)!S5 >, (Az.S)!(z!z). 


4.3 Least-level for CbN and CbV -calculi 


The definition of least-level reduction in Section 4.1 is independent of the specific 
notion of level chosen, and of the specific calculus. The idea is that the reduction 
strategy persistently fires a redex at minimal level, once such a notion is set. 

Least-level reduction can indeed be defined also for the CbN and CbV åA- 
calculi, given an opportune definition of level. In CbN, we count the number of 
nested arguments and operators containing the redex occurrence. In CbV, we 
count the number of nested operators and unapplied abstractions containing the 
redex occurrence, where an abstraction is unapplied if it is not the right-hand 
side of an application. Formally, a redex occurrence is identified by a context (as 
explained in Section 4.1), and we define the level ¿CPN (c) € N and CPV (c) € N 
of a context c in CbN and CbV -calculi, respectively, as follows. 


eC) = 0 PV) = 0 
LPN (dz.c) = LPN (c) LY (Ax.c) = LV (c) +1 
CBV (ec!) ife = Az.c' 
a vey) E ene) er" (ct) a ai wie 
cN (tc) = LN (e) 4] £°°V (te) = Y (e) 
Pelee ear oln., e, = e) 1. 


In both CbN and CbV )-calculi, the least level of a term (denoted by £¢°PN(-) 
and OPV (.)) and least-level and internal reductions are given by Definition 15 
(replace ¢(-) with ¢CPN(.) for CbN, and with £9>Y(-) for CbV). 

In Section 5 we will see that the definitions of CbN and CDV least level are not 

arbitrary, but induced by the CbN and CDV translations defined in Section 3.3. 


5 Embedding of CbN and CbV by level 


Here we refine the analysis of the CbN and CbV translations given in Section 3.3, 
by showing two new results: translations preserve normal forms (Proposition 22) 
and least-level (Proposition 25), back and forth. This way, to obtain least-level 
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factorization or least-level normalization results, it suffices to prove them in 
the bang calculus. The translation transfers the results into the CbN and CbV 
A-calculi (Theorem 26). We use here the expression “translate” in a strong sense: 
the results for CbN and CbV A-calculi are obtained from the corresponding 
results in the bang calculus almost for free, just via CbN and CbV translations. 


Preservation of normal forms. The targets of the CbN translation (-)" and CbV 
translation (-)” into the bang calculus can be characterized syntactically. A fine 
analysis of these fragments of the bang calculus (see [12] for details) proves that 
both CbN and CbV translations preserve normal forms, back and forth. 


Proposition 22 (Preservation of normal forms). Let t,s E€ Ao ando € O. 


1. CDN: t is B-normal iff t" is Bi-normal; t is o-normal iff t” is o-normal. 
2. CbV: t is By-normal iff t is B\-normal; t is o-normal iff is o-normal. 


By Remark 16, Proposition 22 can be seen as the fact that CbN and CbV 
translations preserve the least-level of a term, back and forth, when the least-level 
is infinite. Actually, this holds more in general for any value of the least-level. 


Preservation of levels. We aim to show that least-level steps in CbN and CbV 
A-calculi correspond to least-level steps in the bang calculus—back and forth—via 
CbN and CDV translations, respectively (Proposition 25). This result is subtle, 
one of the main technical contributions of this paper. 

First, we extend the definition of translations to contexts. The CoN and 
CbV translations for contexts are two functions (-)": C > C, and (-)“: C > C, 
respectively, mapping contexts of the A-calculus into contexts of the bang calculus: 


(Az.c)" = Ax.c" (Aa.c)” = !(Aar.c’) 
(O(t1,...,€,...,tk))" = O(ti, ..,€", th) (O(t1, ...,€,-..,tkh))” = o(ti, ..., ce", ..., th) 
Ct’ if c“ =!C 
(ct)! = c" (2°) (ct)" = -o 
(Lc“)t” otherwise 


ñ AN s Tc ift’ =!T 
Ce ete) i. ee otherwise. 

Note that CbN (resp. CbV) level of a context defined in Section 4.3 increases 
by 1 whenever the CbN (resp. CbV) translation for contexts adds a !. Thus, 
CbN and CbV translations preserve, back and forth, the level of a redex and the 
least-level of a term. Said differently, the level for CbN and CbV is defined in 
Section 4.3 so as to enable the preservation of level via CbN and CbV translations. 


Lemma 23 (Preservation of level via CbN translation). 


1. For contexts: For any context c € C, one has OPN (c) = &(c"). 
2. For reduction: For any term t E€ Ao: t —>p:k $ if and only if t" —>g,:k s"; and 
t >o:k S if and only if t —>o:k s", for any o € O. 
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3. For least-level of a term: For any term t € Ao, one has 00°PN(t) = Ce(t"). 
Lemma 24 (Preservation of level via CbV translation). 


1. For contexts: For any context c € C, one has LOY (c) = &(c’). 

2. For reduction: For any term t € Ao: t Bok s if and only if t Sa :nrg, S; 
and t >o:k 8 if and only if t —>o:k—>3p S“, for anyo € O. 

3. For least-level of a term: For any term t € Ao, one has OPY (t) = LE(t’). 


From the two lemmas above it follows that CbN and CbV translations preserve 
least-level and internal reductions, back and forth. 


Proposition 25 (Preservation of least-level and internal reductions). 
Lett € Ao ando € O. 


1. CDN least-level: t > s if t >g s"; and t pos iff t Dos 
2. CbN internal: t >, s if t — 2, s; and t >08 ift os" 
3. CbV least-level: t >g, $ iff t papa s“; and t >o $ if U Sorta s 
4. CbV internal: t TB, S iff tY Sasa 83 and t Pos iff t oga 8”. 
As a consequence, least-level reduction induces factorization in CbN and CbV 
A-calculi as soon as it does in the bang calculus. And, by Proposition 22, it is a 
normalizing strategy in CbN and CbV as soon as it is so in the bang calculus. 


Theorem 26 (Factorization and normalization by translation). Let 
Agn = (Ao, > U >o) and Ae” = (Ao, 2, Uo). 


1. If Ajo admits least-level factorization Fact(—, —), then so do AG” and AS’. 


2. If Ao admits least-level normalization, then so do AG® and AS’. 


A similar result will hold also when extending the pure calculi with a rule +, 
other than >o, as long as the translation preserves p-redexes, back and forth. 


Remark 27 (Preservation of least-level and of normal forms). Preservation of 
normal form and least-level is delicate. For instance, it does not hold with the 
definition CbV translation (-)Y in [15,30]. There, the translation t = rs € A would 
be t = (e!(r’))s” and then Proposition 22 and Proposition 25 would not hold: 
u(r’) is a r-redex in t (see Remark 11) and hence t“ would not be normal even 
though so is t, and ¢¢(t”) = 0 even though OPY (t) 4 0. This is why we defined 
two distinct case when defining (-)” for applications, akin to Bucciarelli et al. [7]. 


6 Least-level factorization via bang calculus 


We have shown that least-level factorization in a bang calculus Ao implies least- 
level factorization in the corresponding CbN and CbV calculi, via forth-and-back 
translation. The central question now is how to prove least-level factorization for 
a bang calculus: this section is devoted to that, in the pure and applied cases. 
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Overview. Let us overview our approach by considering O = {0}, and > = 
—>g, Uo. Since by definition > = >$, U po (and > = -> p, U zo), Lemma 8 


ji =L O 


states that we can decompose least-level factorization of + in three modules: 


1. prove least-level factorization of >g, i.e. 43, C PA = as 


2. prove least-level factorization of +, i.e. —o* C yo": 


=o; 


3. prove the two linear swaps of Lemma 8. 


Note that, for each of >g, and +o, the least level is defined with respect to the 
set of all redexes R = Rg, U Ro, so as to have > = 7g, U o. This approach 


solves the issue we mentioned in Example 1. 

Clearly, Points 2 and 3 depend on the specific rule >o. However, the beauty 
of a modular approach is that Point 1 can be established in general: we do not 
need to know >o, only the shape of its redexes given by Ro. In Section 6.1 we 
provide a general result of least-level factorization for +g, (Theorem 28). In fact, 
we shall show a bit more: the way of decomposing the study of factorization 
that we have sketched, can be applied to study least-level factorization of any 
reduction + =—+g, U —,, as long as — has a good least-level. 

Once (1) is established (once and for all), to prove factorization of a reduction 
— 3, Uo we are only left with (2) and (3). In Section 6.3 we show that the proof 
of the two linear swaps can be reduced to a single, simple test, involving only 
the ++, step (Proposition 34). In Section 7, we will illustrate how all elements 
play together on a concrete case, applying them to non-deterministic A-calculi. 


6.1 Factorization of —,, in a bang calculus 


We show that —,, factorizes via least-level reduction (Theorem 28). This holds 
for a definition of =>, (as in Section 4) where the set of redexes R contains 


Re, URo—this generalization has essentially no cost, and allows us to use 
Theorem 28 as a module in the factorization of larger reductions containing —,,. 
We prove factorization via Takahashi’s parallel reduction method [32]. We 
define a reflexive reduction =g, (called parallel internal )-reduction) which fulfills 
the conditions of Property 7, i.e. =-4,* = => g,* and gp pp Cpa" Roe 
The tricky point is to prove that =>,,-=>, © =>4,*-=za, We adapt the proof 
technique in [2]. All details are in [12]. Here we just give the definition of =). 


We first introduce =>,,-, with n € NU {oo} (the parallel version of > 4,.,), 
which fires simultaneously a number of /;-redexes at level at least n € N, and 
=> B,:00 does not reduce any /-redex: T = 4,:.. S implies T = S. 

T > py:n is T Sprm T S GB:n st T Sbn T” 
AL.T => B:n AT" TS = 6 :min{m,n} TS IT => 6):n41 IT" 

T > gn i a S > pym S’ 
(Ax.T)!S >pgro T {9/2} 


T = Bbo T 
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The parallel internal B,-reduction =>, is the parallel version of -> g,, which 
fires simultaneously a number of ()-redexes that are not at minimal level. Formally, 


Ta S if T San S with n =œ orn > UT). 


Theorem 28 (Least-level factorization of >,,). Let +, be the contextual 
closure of a rule œp, and assume that + = — 6, U —>p has good least-level in Ao. 
Then, T 4%, S implies T —,,*- => p” S. 


In particular, as + ,, has a good least-level (Proposition 19) in 4, we have: 


Corollary 29 (Least-level factorization in the pure bang calculus). In 
the pure bang calculus (Ai, >,,), if T >h, S then T pa” => 2," S. 


Surface Digression. According to Definition 15, -reduction —>g,:ọ at level 0 
(called surface reduction in Simpson [31]) can only fire redexes at level 0, i.e., 
redexes that are not inside boxes or other operators. It can be equivalently defined 
as the closure of ++g, under contexts S defined by S «= (-) | Av.S | ST | TS. 
Since —g,.0 E ++4,, from least-level factorization (Corollary 29) and monotonicity 
(Proposition 19), a new proof of a result already proven by Simpson [31] follows. 


Corollary 30 (Surface factorization in the pure bang calculus). In the 
pure bang calculus (Ai, —,,), if T =>}, S then T 50'S Bik S with k > 0. 


6.2 Pure calculi and least-level normalization 


Least-level factorization of +, implies in particular least-level factorization for 
—g and —g,. As a consequence, least-level reduction is a normalizing strategy 
for all three pure calculi: the bang calculus, the CbN, and the CbV A-calculi. 


The pure bang calculus. The least-level reduction =, is a normalizing strategy 


for —+g,. Indeed, it satisfies all ingredients in Lemma 4. Since we have least-level 
factorization (Corollary 29), same normal forms, and persistence (Proposition 19), 
7? 4, İs a complete strategy for +g: if T +5, S and S is §\-normal, then T =+,,* S. 

We already observed (Example 21) that the least-level reduction +4, is 


non-deterministic, because several redexes at least level may be available. Such 
non-determinism is however harmless and inessential, because +>, is uniform. 


Lemma 31 (Quasi-Diamond). In the pure bang calculus (A),—>,,), the re- 
duction >g, is quasi-diamond (Property 5), and therefore uniform. 


Putting all the ingredients together, we have (by Lemma 4): 


Theorem 32 (Least-level normalization). In the pure bang calculus (Aj, 
—p,), the least-level reduction >p, is a normalizing strategy for —>p,. 


Theorem 32 means not only that if T is weakly -normalizing then T can 
reach its normal form by just performing least-level steps, but also that performing 
whatever least-level steps eventually leads to the normal form, if any. 
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Pure CoV and CON X-calculi. By forth-and-back translation (Theorem 26) the 
least-level factorization and normalization results for the pure bang calculus 
immediately transfers to the (pure) CbN and CbV settings. 


Theorem 33 (CbV and CDN least-level normalization). 
— CBN: In (A, >s), =e is a normalizing strategy for +g. 
— CbV: In (A,—2,), >, is a normalizing strategy for —,,. 


6.3 Least-level Factorization, Modularly 


Least-level factorization of + , (Theorem 28) can be used to prove factorization 
for a more complex calculus. Indeed, a simple and modular test establishes 
least-level factorization of a reduction +,, U —, (>p is a reduction added to 
—,), by adapting a similar result in [3]. The test relies on the fact that we have 
already proved Theorem 28, and it simplifies Lemma 8: the proof of the two 
linear swaps of Lemma 8 is reduced to a single, easier check, which only involves 
the rule œp. As usual, the least level in >,, and =, is defined with respect to 


the set R = Rg,UR, of redexes. An example of the use of this test is in Section 7. 
Proposition 34 (Modular test for least-level factorization). Let +, be 


the contextual closure of a rule œp, and assume that + =—+g,U >p has a good 
least-level in Ayo. Then — factorizes via > =—,U 7p if the following hold: 


1. (least-level factorization of =p) =>} © Pp% ="; 


2. (substitutivity of œp) Rr, R' implies R{T/xz}H, R'{T/cx}; 
3. (root linear swap) => 6t p E Hp: >h. 


7 Case study: non-deterministic A-calculi 


To show how to use our framework, we apply the tools we have developed on our 
running example (see Examples 1 and 9). We extend the bang calculus with a non- 
deterministic binary operator ®, that is, (Aig,—>g,@) where 43,9 =, Ue, 
and —>ọ is the contextual closure of the (non-deterministic) rules: 


@(T, S) re T @(T, S) ro S. 
First step: non-deterministic bang calculus. We analyze Aig. We use our modular 
test to prove least-level factorization for Aig: if T >}, U then T >60: => pre" 


U. By Lemma 4, an immediate consequence of the factorization result is that the 
least-level strategy is complete: if U is normal, T >% œ U implies T >,@* U. 


Second step: CbN and CoV non-deterministic calculi. By translation, we have for 
free, that the analogous results hold in A$" and A’, as defined in Example 9. 
So, least-level factorization holds for both calculi, and moreover 


— CDN completeness: in AS, if u is normal, t bq u implies t >e* u. 


— CbV completeness: in AS”, if u is normal, t 3.8 u implies t >,,@* u. 
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What do we really need to prove? The only result we need to prove is least- 
level factorization of —+g,g. Completeness then follows by Lemma 4 and the 
translations will automatically take care of transferring the results. 

To prove factorization of —+g,¢6, most of the work is done, since least-level 
factorization of +g, is already established; we then use our test (Proposition 34) 
to extend +, with + @. The only ingredients we need are substitutivity of He 
(which is an obvious property), and the following easy lemma. 


Lemma 35 (Roots). Let pe {1,0}. fT p Re S then T >g: 7; S. 


Theorem 36 (Least-level factorization in non-deterministic calculi). 


1. In (Aig, +), Fact(=, =>) holds for > =—++g Ug). 
2. Least-level factorization holds in (AS", >œ Ug), and in (A®’, +6 U >p, )- 


Proof. 1. It is enough to verify the hypotheses of Proposition 34, via Lemma 35. 
2. It follows from Theorem 26 and Theorem 36.1. 


Completeness is the best that can be achieved in these calculi, because of the 
true non-determinism of —>g and hence of least-level reduction and of any other 
complete strategy for +. For instance, in Ag" there is no normalizing strategy 
for (x, 66) in the sense of Definition 2, since x <@ (x, 40) >p 66 Pg... . 


8 Conclusions and Related Work 


Combining translations (Theorem 26), least-level factorization for +g, (Theo- 
rem 28), and modularity (Proposition 34), gives us a powerful method to analyze 
factorization in various A-calculi that extend the pure CbN and CbV calculi. The 
main novelty is transferring the results from a calculus to another via translations. 


Related Work. Many calculi inspired by linear logic subsume CbN and CbV, such 
as [5,6,29,24] (other than the ones already cited). We chose the bang calculus for 
its simplicity, which eases the analysis of the CbN and CbV translations. 

To study CbN and CbV in a uniform way, an approach orthogonal to ours 
is given by Ronchi della Rocca and Paolini’s parametric A-calculus [28]. It is a 
meta-calculus, where the reduction rule is parametric with respect to a subset 
of terms (called values) with suitable properties. Different choices for the set 
of values define different calculi—that is, different reductions. This allows for a 
uniform presentation of proof arguments, such as the proof of standardization, 
which is actually a meta-proof that can be instantiated in both CbN and CbV. 

Least-level reduction is studied for calculi based on linear-logic in [34,1] and 
for linear logic proof-nets in [8,26]. It is studied for pure CbN A-calculus in [2]. 
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Abstract. We introduce a generalization of Girard et al.’s BLL called 
GBLL (and its affine variant GBAL). It is designed to capture the core 
mechanism of dependency in BLL, while it is also able to separate com- 
plexity aspects of BLL. The main feature of GBLL is to adopt a multi- 
object pseudo-semiring as a grading system of the !-modality. We analyze 
the complexity of cut-elimination in GBLL, and give a translation from 
BLL with constraints to GBAL with positivity axiom. We then introduce 
indexed linear exponential comonads (ILEC for short) as a categorical 
structure for interpreting the !-modality of GBLL. We give an elemen- 
tary example of ILEC using folding product, and a technique to modify 
ILECs with symmetric monoidal comonads. We then consider a seman- 
tics of BLL using the folding product on the category of assemblies of 
a BCl-algebra, and relate the semantics with the realizability category 
studied by Hofmann, Scott and Dal Lago. 


Keywords: Linear Logic - Categorical Semantics - Linear Exponential 
Comonad - Graded Comonad 


1 Introduction 


Girard’s linear logic is a refinement of propositional logic by restricting weakening 
and contraction in proofs [15]. Linear logic also has an of-course modality !, which 
restores these structural rules to formulas of the form ! A. 

Later, Girard et al. extended the !-modality with quantitative information so 
that usage of !-modal formulas in proofs can be quantitatively controlled [I6]. 
This extension, called bounded linear logic (BLL for short), is successfully applied 
to a logical characterization of P-time computations. 

Their extension takes two steps. First, the !-modality is extended to the form 
l-A, where the index r is an element of a semiring Section 2.4]. The index r is 
called grade in modern terminology {11/13}. This extension and its variants have 
been employed in various logics and programming languages [7]30]14]26]28]. The 
categorical structure corresponding to !,.A is identified as graded linear exponen- 
tial comonad [M1322]. 

Second, the !,-modality is further extended to the form !;<,A, where p is a 
polynomial (called resource polynomial) giving the upper bound of x Sec- 
tion 3]. The formula !,<,A also binds free occurrences of the resource variable 
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x in resource polynomials in A. Therefore, in BLL, both formulas and resource 
polynomials depend on the values stored in free resource variables. This depen- 
dency mechanism significantly increases the expressiveness of BLL, leading to a 
characterization of P-time complexity. 

This characterization result was later revisited through a realizability seman- 
tics of BLL [69M0]. Inside this semantics, however, mechanisms for controlling 
complexity of program execution are hard-coded, and it is not very clear which 
semantics structure realizes the dependency mechanism of BLL. This leads us 
to seek a logical and categorical understanding of BLL’s dependency mechanism 
hidden underneath the complexity-related features, such as resource polynomials 
and computability constraints. 

As a result of the quest, we propose a generalization of BLL called GBLL, 
and study its categorical semantics. The central idea of the generalization is to 
replace the grading semiring of the !,-modality with a particular multi-object 
pseudo-semiring realized as a 2-category. Let us see how this replacement works. 
In GBLL, each formula is formed by deriving a judgment of the form AF A, 
where A is a set (called index set) and A is a raw formula. We may think that 
such a well-formed formula A + A denotes a A-indexed family {[A]i}iea of 
denotations. The formation rule for !|-modal formula in GBLL is the following: 


ALA f €Set(A,(A’)*) 


AFI;A ((_)*: Kleene closure) 


where the function f abstractly represents dependency. This modality is enough 
to express the !,,<,-modality of BLL: we express the bindig x < p under a resource 
variable context ¥ as the function f,(y) = (¥,0)--: (Y, p(y) — 1) that returns the 
list of environments extended with values less than p(y). Then the denotation of 
the !A-modality is given by a variable-arity operator D. For each index i € A, 
the denotation is given by applying D to the denotations obtained by mapping 
A to list f(i): 


[!r A]: = D(A]; ut [AT;,) where ji +++ jn = f). 


A simple example of a variable-arity modal operator is the folding product 
D(X,- Xn) = X189 -8 Xn. 

The pseudo-semiring structure on the class of functions of the form A —> 
(A’)* is given as follows. For the multiplication ge f, we adopt the Kleisli com- 
position of the free monoid monad (_)*, while for the addition f+g, the pointwise 
concatenation (f + g)(x) = f(x)g(x). However, these operations fail to satisfy 
one of the semiring axioms: (f + g)eh= feh+geh. To fix this, we introduce 
(pointwise) list permutations as 2-cells between functions of type A > (A’)*. 
These data form a 2-category Idx, which may be seen as a multi-object pseudo- 
semiring. Weakening, contraction, digging and dereliction in GBLL interact with 
these operations, much like the !,-modality in [7]. 

We first study syntactic properties of GBLL. We introduce cut-elimination to 
GBLL and study its complexity property. It turns out that the proof technique 
used in BLL naturally extends to GBLL — as done in [16], we classify cuts 
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into reducible and irreducible ones, introduce proof weight, and show that the 
reduction steps of reducible cuts will terminate in cubic time of proof weights. 
We also examine the expressive power of GBLL by giving a translation from an 
extension of BLL with constraints that are seen in Dal Lago et al.’s QBAL m]. 

We next give a categorical semantics of GBLL. We introduce the concept of 
indexed linear exponential comonad (ILEC); it is an Idx-graded linear exponen- 
tial comonad satisfying a commutativity condition with respect to an underlying 
indexed SMCCs. Then, we present a construction of ILEC from a symmetric 
monoidal closed category C with a symmetric monoidal comonad on it. We ap- 
ply this construction to the case where C is the category of assemblies over a 
BCI algebra [2]20], and relate the semantics of GBLL with the constructed ILEC 
and the realizability category studied in [910]. 


Acknowledgment The first author was supported by JST ERATO HASUO Meta- 
mathematics for Systems Design Project (No. JPMJER1603). The authors are 
grateful to anonymous reviewers for comments, and Masahito Hasegawa, Nao- 
hiko Hoshino, Clovis Eberhart and Jérémy Dubut for fruitful discussions. 


Preliminaries For a set A, by A* we mean the set of finite sequences of A. 
The empty sequence is denoted by (). Juxtaposition of A*-elements denotes the 
concatenation of sequences. For x € A*, by |x| we mean the length of x. We 
identify a natural number n and the set {0,--- ,2—1}; note that 0 = Ø. We also 
identify a sequence x € A* and the function “Ai € |x| . the i-th element of x”. 


2 Generalized Bounded Linear Logic 


2.1 Indexing 2-Category 


We first introduce a 2-category Idx (and its variant Idx,), which may be seen 
as a multi-object pseudo-semiring. It consists of the following datą] 0-cells are 
sets (called index sets), and the hom-category Idx(A, A’), which is actually a 
groupoid, is defined by: 


— An object (1-cell) is a function f : A > (A’)*. 
— A morphism (2-cell) from f to g in Idx(A, A’) is a A-indexed family of 
bijections {0z : |g(a)| > |f(x)|}2ea such that f(x)(o2(2)) = g(x)(i). 


The identity 1-cell and the composition of 1-cells in Idx are denoted by i, and 
(e), respectively. The composition is defined by (ge f)(x) (yi) ++: 9(Yn) where 
Y1: Yn = f(x). The hom-category Idx(A, A’) has a symmetric strict monoidal 
structure: 


def 
=g 


— the monoidal unit is the constant empty-sequence function 0(x) = (), 


3 This is a full sub-2-category of the Kleisli 2-category CATs, where S is the 2-monad 
of symmetric strict monoidal category [21]. 
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— the tensor product of f,g, denoted by f + g, is defined by the index-wise 
concatenation (f + g)(x) d f(ax)g(a). 


We write J : Set > Idx for the inclusion, namely JA = A and (Jf)(x) = f(x) 
(the singleton sequence). 


Proposition 2.1. The composition e is symmetric strong monoidal in each ar- 
gument. Especially, we have 


fe0=0 Oef=0 feg+h)=fegtfeh (ftg)eh= fehtgeh. 


We also define Idx, by replacing “bijection” in the definition of 2-cell of Idx 
with “injection”. The hom-category Idx,(A, A’) has the 1-cell 0 as the terminal 
object, hence is a symmetric affine monoidal category. 


2.2 Formulas and Proofs 


Definition of GBLL Formulas We first fix a set-indexed sets {A(A)}Acset 
of atomic propositions. Formulas are defined by the following BNF: 


An=axr|A@A|A--A|!sA 


where a € A(A) for some set A, r is a function (called reindexing function) and 
f is a 1-cell in Idx. Formula formation rules are introduced to derive the pair 
At A of an index set A and a formula A. They are defined as follows: 


aE A(A’) re Set(A, A’) AFA AFB AFA AFB 
AHA f €Idx(A, A’) 
AF !;A 
The formula axr represents the atomic formula a precomposed with a reindexing 


function r. We write Fml(A) = {A | AF A}. 
We next introduce the reindexing operation on formulas. 


Definition 2.1. For a reindexing function r € Set(A, A’), we define the rein- 
dexing operator (_)|, : Fml(A’) > Fml(A) along r by 


def 


axr|>. = ax(ror’) = 


(A8 B)|- = Al, 8 Bir, 
def def 
(A — B)|, = Al, — Bjr, (A)| = !perrA. 


? 


We routinely extend reindexing operators to sequences of formulas well-formed 
under a common index set. 


We quotient the set of well-formed formulas by the least congruent equiva- 
lence relation generated from the following binary relation: 


{(grepA,!7(Aly)) | r € Set(A’, A”), f € Idx(4, A’), A” + A} (2.1) 


We see some formations of formulas in GBLL. 
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Example 2.1. Let us illustrate how a formula !,<,2!z<2+,A in BLL is represented 
in GBLL; here we assume that x,y,z are the only resource variables used in this 
formula. We first introduce a notation. Let E be a mathematical expression using 
variables x1 --+X,. Then by [E]n : N” > (N"*')* we mean the function 


[E]n (2) = (#,0)(@, 1) +- (E, Blees/x1,-++ an /%n]— 1) (ZÊ (z1, yam) E€ N”) 


For instance, [x?]ı (x) = (x, 0), --- , (x, £? — 1). Then from a well-formed formula 
N? + A, we obtain N H 12}, [x1 +x2]24. Generalizing this, a BLL formula !z< pA 
containing resource variables x;,--- , X„ corresponds to the GBLL formula !/,),, A. 


Example 2.2. We look at how we express the substitution of a resource polyno- 
mial A[x := p(21,...,2n)]. We define a function (p), : N” + N"*1 by 


(P)n(@1, +n) E (wa, Bn, P(r, Bn): 
Then the reindexed formula N” F Al;,),, corresponds to A[x := p(£1,: + ,@p)]- 


Example 2.8. We illustrate the equality between well-formed formulas. Consider 
a formula N + A and a function r € Set(N?,N). Then we equate formulas 
N? F likta] (Alr) and N? F lA, where h € Idx(N?,N) is given by 


h = Jre [xı + X2]o(2x, y) = r(x, y, 0), => ey £ +y — 1). 


Definition of GBLL Proofs A judgment of GBLL is the form A|I F A, 
where A is an index set, I’ is a sequence of formulas well-formed under A, and 
A is a well-formed formula under A, respectively. The inference rules of GBLL 
are presented in Fig.|1] Similarly, we define GBAL to be the system obtained by 
replacing Idx in Fig. }1] with Idx,. 


Example 2.4. We mimic a special case of the contraction rule in BLL 


L; loca, A, lys; A{rity/a} FB 
L; ls<ri+z; A F B 


See also (!C)-rule of CBLL in Section We use the shift function Sni € 
Set(N”+!, N”+1) defined by sn il£1, + En, Y) d (£1, ,Un, 2; + y). Then 
we easily see [xj]n + JSn,i © [Xj]n = [Ki + Xj]n. By contraction rule of GBLL, we 
obtain the following derivation for well-formed formulas N”+! + A and N” F B, 
mimicking the contraction of BLL: 


*[xi]n 


A, Lacan (AlSn,) l B 
litai] A = lpei]ntJsn io] AF B 


Here, we use the formula equality ! js, ;ef[x;]n A = ![xj]n (AlSn,5). 


n 
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ALA ; AJ|T,X,Y,I'H A 
Ag A th 
A|AFA (Ax) Axiom ALLY XIF (Exch) Exchange 
AVE PA AlAs 
EL E (Cut) 
AIII EB 
A|T,X,YHA Al REX AIREY 
(@L) (@R) 
A|P,.X@YFA Aln, hFXQY 
ATREX AlYFB | 1) AJ|T,XHY GN 
Al|n, I,X=YFB A|PEX~Y 
A|TFB (IW) Weakeni A|T,AFB (1D) Derelicti 
tt eakenln, =r aa oar (4 ereliction 
AJT, AF B 8 “Alt uAF B 


A|D'cAE B o €Idx(A, A’)(f,9) 


(!F) !-Functor 
A|I,!;AF B 


A|D,!,,4,!,4+ B 


(!C)Contraction 
A| IAs Ar 


Al | lg, Ar,+** jlo, 4p B f €Idx(A, A’) 
Aisi dacs? , lger Ae F lB 


?'Ik 


(P!) Composition 


Fig. 1. GBLL Proof Rules 


Example 2.5. The reindexing operator can be extended to proofs. Let r be a 
reindexing function in Set(A, A’). Reindexing of the axiom rule A’ | AF A, 
by r is the axiom rule A | Aj, F A|,. Reindexing of other rules except (P!) 
can be easily defined—the judgment A’ | [+ A in each rule is replaced with 
A |T|- F Al, by reindexing. For (P!) rule, reindexing by r is given as follows: 


A" |l A1, !g,4k Bo fe dr €Idx(A, A”) 
A | (grep Arles > (Coros An) lr F (!pB)r 


Remark 2.1. In this paper, indexing 2-category is either Idx or Idx,. Allowing 
more general indexing 2-categories in GBLL is a future work. In his PhD thesis, 
Breuvart designed a linear logic similar to GBLL upon an abstract indexing mech- 
anism called dependent semirings [5] Definition 3.2.4.5]. It consists of categories 
(S,U) such that 1) each hom-set in S carries a (not necessarily commutative) 
ordered monoid structure (0, +) and the composition of S distributes over 0, +, 
and 2) U acts on S from both sides. Roughly speaking, S and U corresponds to 
our Idx°? and Set??, respectively. We expect that a unification of dependent 
semirings and 2-categories Idx,Idx, would yield a suitable generalization of 
indexing categories for GBLL. This generalization will subsume the non-graded 
linear logic, and allow us to compare GBLLs over different idexing categories. 
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2.3 Complexity of Cut-Elimination in GBLL 


By a similar discussion to BLL [16], instances of Cut inference are divided in two 
classes: reducible cuts and irreducible cuts. We define the weight of proof |r| for 
each proof 7 > A | I F A and reduction steps of proofs, such that every reduction 
steps will terminate, for each index ô € A, in polynomial steps of |r|(8). 


Definition 2.2. [76 Appediz A] In GBLL (resp. GBAL) proofs, an instance of 
the Cut inference is irreducible if there are at least one Composition rule below 
it or if its left premise is obtained by a Composition rule with nonempty context 
and the other premise is obtained by a Weakening, !-Functor, Dereliction, Con- 
traction or Composition inference. A reducible cut is Cut inferences that is not 
irreducible. 


The definition of (ir)reducibility and weight is diverted from Girard’s paper. 
Therefore, our system inherits from BLL the conditions under which cuts can be 
reduced. See also Section 2.4 in [I6]. 


Definition 2.3. A GBLL or GBAL proof is irreducible if it contains only irre- 
ducible cut inferences. 


Following , we introduce the concept of weight of a proof. It is a function 
|r| : A + N assigning a weight number |r|(8) to a proof 7 at an index ô € A. 
The weight number never increases at any reduction step of Cut in m. In the 
original BLL, weights are expressed by resource polynomials, while here, they 
are generalized to arbitrary functions. We remark that weights of the proofs 
involving Composition rules, which introduce !f modality, use the length of the 
lists constructed by f. 


Definition 2.4. For a given proof > A | I+ A of GBLL or GBAL, the weight 
ofn is a function |r|: A — N inductively defined as follows. A) When A= Í, 
|r| is the evident function. B) When A #9, |x| is defined by the following rules: 


1. For an Axiom rule r> A | AF A, |n|(0) i, 


2. If x is obtained from x’ by a unary rule except Contraction and Composition, 
Ira) S I'i) +1. 

3. Ifn is obtained from mı and T2 by a binary rule except Cut, |r| (8) =Z \71|(0)+ 
\7r2|(0) + 1. 

4. If x is obtained from mı and m2 by a Cut rule, |7|(6) = \71|(0) + |72|(0). 

If x is obtained from x’ by a Contraction rule, |7|(6) ce |r"|(0) +2 

6. If x is obtained from x’ by a Composition rule, such as 


an 


A’ | la, Aa, ** sta, Ak F B 


TP 
A Vogue? ,laref An pe 
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def : 
then ||(5) = Dyers) (TIO) + 2k +1) +k4+1. Note that the summation 
Jeza) scans all elements in the list f(d), hence the weight depends on the 
length of f (0). 


Theorem 2.1. For every proof nr > A| T F A and every ô € A, reduction steps 
of reducible cuts will terminate in at most (|r|(d))° steps. 


Proof (sketch). The proof is almost the same as Section 2.2 and Appendix A of 
[16], except for the definition of the weight. Suppose that 7 one-step reduces into 
n’. From the definition of the weight, either 1) for all index 6 € A, the weight 
decreases (that is, |r|(8) > |7’|(0)), or 2) for all index 6 € A, the weight keeps 
(that is, |7|(d) = |7’|(d)). The reduction of the former type is called symmetric 
or axiom reduction [16] Section 2.2.1 and 2.2.2], while the latter commutative 
reduction [I6] Section 2.2.3]. 

In the case where the weight keeps, we introduce another measure called the 
cut size ||7|| : A — N of a proof 7. Its definition is the same as the definition of 
weight except for Cut rule. For a proof m obtained by Cut rule from mı and 7, 
the cut size ||z||(0) is defined to be ||z1||(d) + ||72||(0) + [m| (0) + |72|(4). 

In each commutative reduction from 7 to 7’ the cut size decrease at all index 
(that is, for all ô € A, ||m||(d) > ||7’||(d)), and the cut size is at most the square 
of the weight (that is, for all 6 € A,||r||(5) < (|m|(6))?). Therefore, the total 
number of steps is at most the cube of the weight. 


The number of reduction steps of a proof m and its weight depend on the 
length of lists computed by the Idx-morphisms occurring in 7. However, to 
discuss the actual time complexity of cut-elimination, we further need to take 
into account the time complexity of the computation of Idx-morphisms. This 
would be achieved by looking at a subcategory of Idx computable within a 
certain time complexity. We leave this argument of analyzing the actual time 
complexity of cut-elimination as a future work. 


3 Translation from Constrained BLL 


We show that GBLL can express BLL via a translation. This translation is actu- 
ally given to variants of these calculi, namely from BLL with constraints (called 
CBLL) to GBAL with positivity axioms (called GBAL*). 

CBLL is an extension of BLL with constraints, which are one of the features 
of Dal Lago and Hofmann’s QBAL [I0]. Constraints explicitly specify conditions 
imposed on resource variables, and it is natural to explicitly maintain these 
conditions throughout proofs. We also remark that in CBLL, weakening of !- 
formulas !,<p4qgA —!z<pA is allowed, and atomic formulas are assumed to satisfy 
the positivity property (3-1). 

GBAL* is designed for a sound translation from CBLL. Recall that GBAL is 
an extension of GBLL with weakening !f+gA —0!A on !-formulas. Then GBAL* 
is a further extension of GBAL with the following positivity axioms of atomic 
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formulas: for every n-ary atomic formula a € A in CBLL, we introduce an atomic 
formula [a] € A(N”) to GBAL together with the axiom: 


Ve(F)| ØF [a] x (p1,+++ , Pn) — [a] * (q1; an} (Vi.pi Ce qi). 


Here the definition of each notation is given in Section and Positivity 
axiom induces proofs V¢(F’) | A’ F A for every two formulas A, A’ such that 
A’ C¢ A (the relation Cy for formulas is defined in Section |3.2). 


3.1 Resource Polynomials and Constraints 


We introduce basic concepts around CBLL, referring to its super-logic QBAL [10]. 
We put a reference in the beginning of each paragraph when the contents come 
from QBAL in [10]. 

Definition 2.1] Given a countably infinite set RV of resource variables, a 
resource monomial over RY is a finite product of binomial coefficients Į [;44 (3i), 
where the resource variables 71,--- ,£m are distinct and n1,--- ,Nm E N are 
natural numbers. A resource polynomial over RY is a finite sum of resource 
monomials. We write 1 as Gh and x as (5) for short. Each positive natural 
number n denotes a resource polynomial 1 + 1+ ---+ 1. Resource polynomials 
are closed under sum, product, bounded sum and composition Lemma 2.2]. 

Definition 2.3] A constraint is an inequality p < q, where p and q are 
resource polynomials. We abbreviate p+ 1 < q as p < q. A constraint p < q holds 
(written F p < q) if it is true in the standard model. A constraint set (denoted 
with @, 2) is a finite set of constraints. A constraint p < q is a consequence 
of a constraint set @ (written @ E p <q) if p < q is a logical consequence of 
€. For every constraint sets @ and Y, we write € E 2 iff @ E p < q for every 
constraint p < q in 2. For each constraint set @, we define an order Cy on 
resource polynomials by phy qif @ Ep <q. 

[0] Definition 2.3] We define the polarity of occurrences of free resource 
variables. For a constraint p < q, we say that an occurrence of a resource variable 
x in p is called negative, while the one in q is called positive. 


3.2 Formulas and Inference Rules of CBLL 


Let A be a set of atomic formulas and assume that each atomic formula a € A 
is associated with an arity ar(a). Formulas of CBLL are defined by: 


A,B = alpi; , Par(a)) | A8 B | A—B | le<pA 


where p in the formula !,<,A satisifes x ¢ FV (p). 

Definition 2.6] Each occurrence of a free resource variable in a formula 
is classified into positive or negative. Below we inductively define a positive oc- 
currence of a resource variable. An occurrence of x in: 


— a(pi,°** ;Par(a)) is always positive. 
— A® B is positive iff it is in A and positive, or so in B. 
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ACB TIF A DEC Tre B 


S e t A 
Aren O Tro A PU hasen 
A{9/zx}, r E B (1D) E; lz<pÁ, ly<qgA{Pty/a} E B (IC) 

lect A, I Fe B T3 le<p+q4A Fe B 


Aj, ann »An Feu{r<p} B z ¢ FV(@) 
lz<p A1, TERG ls<pAn Fe lz<pB 


ly<plecq{u/wy A {C +Eu<cu Uo} I Fe B 
loco, <paw 4 T Fe B 


Fig. 2. Inference Rules for CBLL (& and — are omitted) 


— A — B is positive iff it is in A and negative, or it is in B and positive. 
— !y’<pA is positive iff it is in A and positive. We remark that an occurrence 
of a free resource variable in p is counted as negative in !,/<pA. 


10| Definition 2.8] We extend the order Ey on resource polynomials to the 
one on CBLL formulas. 


a(p1, oa, , Par(a)) Ee a(q, pee s dar(a)) iff Vi. pi Ce qi 
le<pA Ce le<qB iff (q Ee p) A (x € FV(@)) A (A Eeute<a} B) 


(3.1) 


[0] Section 2.3] A CBLL judgment is an expression IT Fy A, where @ is 
a constraint set, J’ is a multiset of formulas and A is a formula. A judgment 
T Fe A means that A is a consequence of I’ under the constraints @. 

Inference rules (Fig. |2) are almost the same as those of QBAL; we omit the 
rules for &, — and Cut. Note that weakening is restricted to !-formulas. Every 
BLL proof of + A can be translated to a CBLL proof of "kg A. 


3.3 Translation into GBALt 


As mentioned at the beginning of Section B] we will give a translation from CBLL 
to GBAL®. When translating a CBLL proof I He A, we also need to supply a set 
F of free resource variables satisfying F > FV(I’) UFV(A) UFV(@). Then the 
translation of the proof of I H A yields a proof of Ve(F) | [P49 + [A] 
in GBALĦ. 


For Constraints We define an environment over a finite set F of resource 
variables to be a function from F to N; by V (F) we mean the set of environments 
over F. Given an environment p € V(F) and a resource variable x ¢ F and 
n € N, by p{x ++ n} we mean the environment over F U {x} that extends p 
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with a mapping x +> n. Given a resource polynomial p such that FV (p) C F, by 
lp] : V(F) —> N we mean the function that evaluates the resource polynomial 
p under a given environment. For resource polynomials p;,--- ,p, such that 
FV(p,) E F, we give a function {p1,-- ,pn) : (V(F)) 4 N® by (p,-+» Pade = 
(Lpile, a) lenlo). 

Let p E p < q denote [p]p < [q]p for a constraint p < q with a set F of 
free resource variables (such that FV (p) U FV (q) C F) and for an environment 
p € V(F). For a subset S C V(F) and for a constraint set @, S F @ is also 
defined similarly: for every p € S and for every p < q E C, pF p < q. Given a 
constraint set @ and a set F of resource variables such that FV (€) C F, let a 
set V¢(F’) and a function upg : Ve(F) > V(F) be given by: 


Ve(F) = {pE V(F)|pE@}, irel) = p. 


For a resource polynomial p, a free resource variable x such that x ¢ FV (p), a 
constraint set @ and a set F of resource variables such that FV(p) UFV(@) C F, 
we introduce a map [x < pl(r.¢) : Ve(F) > Veuteep} (F U {2})* by 


[tz < prep = pfe = 0}, pfe = 1}, pfe ([plo— D} 


For Formulas Given a CBLL formula A, a constraint set @ and a set of resource 
variables F such that F D FV(A) UFV(@), the translation [A] ®:®) of a well- 
formed formula V¢(F’) + A is defined inductively as follows: 


-€) def 
PO E [a] x (pi, Pn) © Lre) 


la(pı, -Pn )] 
[A8 B] 

[A — BJF E A E2 (pew 
] 


[lec AEn E def, 


(Fre) EF Ae) g [BE 


[A neute) 


liæ<p]er, £) 


For Proofs To give a translation of proofs, we define another notation. For a 
resource polynomial p,q, a set F of resource variables and a constraint set @ 
such that FV (p) UFV(@) C F, a set [p,q)"® of environments is defined by 


[p,g)\" = {p € V(F U {t}) | pF @, fpl) < p(t) < [p + alo} 


here ¢ is a “fresh” resource variable such that t ¢ F. 
Given a proof rò I’ He A, a translation [r] 09) > Ve (F) | [PPO + [A] 
is defined inductively on the structure of the proof: 


— For Axiom rule, we can prove V¢(F) | [A] + [BJ]@*® for formulas A, B 
such that A Ce B. 

— For rules (Cut), (SL), (@R), (—eL), (—eR) and (!W), the translation is simple 
replacement of each formula A with [A]®. 
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— For (Str) rule, we have a map r € Set(Vg(F), V¢(F)). Then the transla- 
tion is given as reindexed proof [1’]("*)|,. of the translation [1’/]@*® of the 
premise. 

— For (!D) rule, the premise is translated to Ve(F) | A’, [D02 + (BJF, 
where A’ = [A] PU{t@U{2<1})|, and r is a map such that Jr = [x < Heg 

— For (!C) rule, we define a morphism s{f;® in Idx, and functions ri, 


sR) (Pare) (s,r,71 and iz for short) by 


B®) 5 Ve(F) > [pg 
p= p{t = leloj: eit => ([p + a]p — 1)} 
rio) : [p, qh) > Veuty<q} (F U {y}) 


ptt ([p]o + k)} > ply > k} 
(pg E; C 
PeO: Veutacp (F U {2}) > Veute<pra (F U {2}) 
p{x => k} => p{x > k} 
(Pg; F; € ; 
a i [p, a) ©) > Veuta<pta (F U {2}) 
pit => (Iple + k)} > pla [pl] + k} 
They satisfy !.<p} LAP ie iese)) linea ([A] rete re) and 
losa [Afpt+y/a}] FY] @Uly<a}) Sl pag (| AO eee) cael) 
Then the conclusion of (!C) is obtained: 
Ve(F) | E2, Lise [A] E ere) z [B]. 
— For (!P) rule, let F’ = F U {x} and @ = G U {x < p}. We can prove the 
translated conclusion from the translated premise by the following proof: 


Ve (F^ | [A1] E0, [An] POOF [BE 


n times (!D)’s : 
Væ (F") | tia [Ma] E", hal A, POF [B] E2 
Ve(F) | tea [Ai] = eee) [An] POF liz<p] [Bee 
— For (!N) rule, we define index sets Ao, 41, Ay and constraints 6o, 61, C2 by 


6 = 6 U{y <p} Ao = Ve (FU {y}) 
Ci =CU{y <p,z < a¥/u}} A; = Ve, (FU {y, z}) 
6,=6 U{x< X` qw)} Ay = Ve,(F U {x}) 
wep 
There is an isomorphism r € Set(A;, Az), and it holds an equation |z < 
a{¥/w}] (FULy},%) ely < PEL) = Jro! e e< Z wcp (w) (Fe) Therefore, 


(!N) rule can be translated to the following provable judgment: 
Vel jllg al Al PUB b ealan A E ya Orth) 


Since every BLL proof l F A can be translated to a CBLL proof kg A, it 
can further be translated to a GBALT proof Vo (F) | [IL] + [A]. 
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4 Categorical Semantics for GBLL 


We give a categorical semantics of GBLL. First, notice that each index set A de- 
termines a multiplicative linear logic under A. We model this situation by a set- 
indexed symmetric monoidal closed categories, given by a functor C : Set? + 
SMCCstrict- That is, for each A € Set, a symmetric monoidal closed category 
CA is given, and any function f : A— A’ induces a strict symmetric monoidal 
closed functor Cf : CA’ + CA, performing renaming of indexes. 

Upon this indexed symmetric monoidal closed categories, we introduce a cat- 
egorical structure that models the ! modality. We call it indexed linear exponen- 
tial comonad. This is a generalization of the semiring-graded linear exponential 
comonad studied in [322]. Our generalization replaces the semiring with Idx, 
which may be regarded as a many-object pseudo-semiring (Proposition [2.1p. 

We write [C, D|; for the category of symmetric lax monoidal functors from C 
to D and monoidal natural transformations between them. We equip it with the 
pointwise symmetric monoidal structure (I, ®) given by [IX = I and (F@G)X = 
FX 8&8 GX for X EC. 


Definition 4.1. An indexed linear exponential comonad (ILEC for short) over 
a set-indexed SMCC C consists of: 


— A collection of symmetric colax monoidal functors 
(D, w®^ 6^1") : Idx(4, A’) > [CA’,CA], (A, A € Set). 


The symmetric lax monoidal structure of Df is denoted by ms: I + DFI 
and mf a,B : DFAS DfB > Df(A& B). 

— Monoidal natural transformations ef : D(ia) > Idpa and ôg, f : D(go f) > 
Df o Dg satisfying axioms in Figure [3} 

— Cr'oDfoCr=D(Jre fe Jr’) holds for any morphism f in Idx and r,r’ 
in Set of appropriate type. 


The last axiom has two purposes: the equality Cr'(DfA) = D(f èe Jr')A 
is to allow reindexing functions to act from outside, and the other equality 
Df(CrA) = D(Cre f)A is to make D invariant under internal reindexing of 
formulas. These equalities are tied up with the formula equivalence in and 
the definition of reindexing at !7A in Definition respectively. We postpone 
a concrete example of ILEC to Section [4.2] 


4.1 Semantics of GBLL 


We interpret a well-formed formula At A as an object [Al A] € CA. This is 
done by induction on the structure of the formula. We assume that each atomic 
formula a € A(A) comes with its interpretation as an object [a] € CA. 


[At axr] © Crfa] [A HA] © Df[A’ + A] 


[AF A8 B] 2 [AE AJo [AFB] [AF A— B] © [At A] [AF B] 
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D(feh+geh)A——D((f+g)eh)A  DOA=D(0eh)A 
| | 
D(feh)A@D(geh)A  Dh(D(f +9) A) Dh(DOA) 


| | | 


Dh(DfA) ® Dh(DgA) — Dh(DfA® DgA) I ———+ DhI 


Dihe f+heg)A——> Dihe(f+g))A DOA = D(he 0)A 


| | | 


D(he f)A@D(he f)A D(f +g9)(DhA) DO(DhA) 
| | | 
Df(DhA) & Dg(DhA) == (Df ® Dg)(DhA) [=] 
2 | n an ie D(hege f)A —> D(ge f)(DhA) 
Df(D(ia)A) ———> Df A Df(D(he g)A) —> Df(Dg(DhA)) 


Fig. 3. Axioms of Indexed Linear Exponential Comonad 


Proposition 4.1. For any r € Set(A, A’) and well-formed formula A’ + A, we 
have [At Ajr] = Cr[A’ A]. 


Proposition 4.2. [AF !jrefA] = [A’ F !p(Al,)]- 


Each proof r> A | I+ A of GBLL is interpreted as a morphism [A | IF A]: 
[At I] > [AF A] in CA. Here, for a sequence I = Cj,:-+ ,Cm of formulas, 
[At I] denotes [AF Ci] ®@---@ JAF Cm]. We write out the interpretation 
only for the cases of modalities, because the other rules, Axiom, Exchange, Cut, 
@(L, R) and —(L, R) are interpreted similarly to the semantics of multiplicative 
intuitionistic linear logic. Fig. [4] shows the interpretation of rules related to ! ;. 


Theorem 4.1. For a proof nrò A| T F A, ifr has a reducible cut and reduces 
into n’ by a reduction step, then [a] = [r] in CA. 


4.2 Construction of an Indexed Linear Exponential Comonad 


We present a construction of an indexed SMCCs C : Set” > SMCCgirict and 
an ILEC D : Idx(A, A’) > [CA’, CA]; over C from a SMCC (C, &, I, —)}, and 
a symmetric lax monoidal comonad (V, mV, my y, €,0) on C. 


Construction of Indexed SMCCs First, for each index set A, we define 
the category Arh C to be the product of A-many copies of C. We represent 
objects and morphisms of this category by maps X : A — Obj(C) and maps 
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AA 


7 i. 7 id8wfaj 
| moAILFEBY] L [T0 x4] — [r] 87 


| r'Jox 
AT, o, AFB | lee, pay 


= id@c4 
aa T, 4, A “4 [r] e IAI 
A|T,liaAF B In), [B] 


id@(Do)y, 
— FE IA] 


[PSs o:fsg] T,!sA] 
A|I,!;AFB T1, iB] 


| moA|T, yA, AFB] [B lm A] 25 ir] @ (A18 [!,4]) 


ATIA FE 11S, (BI 


CORACH] 
] @ l!oie¢ Ail nia > Q; Pf (L's; Ai]) 
= Mpy Tg, A 
—— 4 Df (Q:l! Ail) 
4 DEI) 
[!rB] 


A | lgj A1, + slope pf Ak z lB 


ean | l, A137 slg Ak F B 


Here, 1) [A] denotes [A+ A] for each well-formed formula A F A. 2) m’ denotes the 
proof of the premise of each rule. 


Fig. 4. Interpretations of Modal Rules. 


f : A — Mor(C), respectively. Since SMCCs are closed under products, AMC is 
a SMCC by the component-wise tensor product and internal hom: 


(d) I, x@Y(d) % X(d)@Y(d), XY (d) Ë X(d) — Y (d) 


We then define the indexed SMCCs C by CA“ AMC. 


Folding Product We next introduce the folding product functor T; we later 
compose it with the symmetric lax monoidal comonad V so that we can derive 
various ILECs over C. Note that T itself is also an ILEC; set V = Id. The type 
of T is A* x (AMC) — C, and is defined by 


T(irig:++ in, A) © Alix) O Alig) 8 B Alin), T((),A) ST 


On morphisms, T maps a list permutation in the first argument to the symmetry 
morphism in C. T is symmetric strong monoidal in each argument. Moreover, 
each strong monoidal structure interacts well with each other, concluding that 
it becomes a multi-symmetric strong monoidal functor in the sense of [2I]. 


Proposition 4.3. For f € Idx(A, A’) and l = i;---i, € A*, let f(l) denote 
fli) flik). Then it holds T(f(), A) ~ T(l, T(f(_),A)) and this isomorphism 


is natural for A. 
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Remark 4.1. Usually the !-modal formula !A in linear logic is interpreted by the 
object consisting of many copies of the same data (referred as uniformity of !A 
[8]). We leave the development of uniform folding product as a future work. 


Construction of ILEC We now compose the folding product functor with 
the symmetric lax monoidal comonad V, to derive another ILEC. Let A, A’ 
be index sets. We define a symmetric strong (hence colax) monoidal functor 
D : Idx(4, A’) — [CA’, CA], by 
. def 2 . def : def 

DfA(i) = T(f(),VoA) Dfpli) = T(f(i), Vp) DaA = T(a, V o A). (4.1) 
Here, A € A’ MC, and p and a are morphisms in A’ hh C and Idx(A, A’), 
respectively. We also define a helper morphism y4 : T(l, V o A) + VT(I,A) for 
(li-e lk) € A* and A € AMC. It is the multiple composite of my, zp: 


It is routine to verify that this morphism is monoidal natural on l and A. 
Two monoidal natural transformations e : Dia — Idamc and ôy, : D(ge f) > 
Df o Dg are defined by: 


cag TH VoA)= VAG) (4.2) 
öppna TU NOV oA) STETU, V oA) n 
TET), TE TA, V o V oA) TER, DADIANG). 


Theorem 4.2. The symmetric colax monoidal functor D and monoidal 
natural transformations €,6 (4.44.3) determine an ILEC over C. 


4.3 GBLL Semantics by Realizability Category 


Hofmann et al., and also Dal Lago et al. employ a realizability semantics to 
show that the complexity of BLL proof reductions belongs to P-time [19110]. 
In this section we compare their semantics and the simple semantics of GBLL 
constructed in the previous section. 

We instantiate C in the previous section with the realizability category over a 
BCI algebra (A, -), which is a combinatory algebra based on B, C, J-combinators; 
see e.g. [220]. We then form the realizability category Ass(A) by the following 
data: an object is a function f into Pt.A, where Pt is the nonempty powerset 
construction, and a morphism from f to g is a function h : dom f — domg 
with the following property: there exists an element e € A such that for any 
x € domf and a € f(x), we have e-a € g(h(x)). The category Ass(A) is 
symmetric monoidal closed; see e.g. 20] Proposition 4]. The tensor product of f 
and g is given by (f ® g)(a,y) = {u Xv | we f(x),v € g(y)}, where u Ñ v is the 
BCl-algebra element corresponding to Ax.xuv [20] Section 2]. 
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Next, let A be a set and consider the power category Arh Ass(A). Under the 
axiom of choice, A th Ass(A) is equivalently described as follows: an object is a 
family of functions { fi}ica into PHA, and a morphism from {fj}ica to {gi}ica 
is a family of functions {h; : dom f; + dom g;}iea with the following property: 
there exists a function e : A — A such that for any i € A, x € dom f; and 
a € fi(a), we have e(i) -a € g:(hi(x)). 

This power category is quite close to the realizability category introduced 
in [19] Section 4] and [[0] Section 4]. A membership statement a € fi(x) for 
an object {fi}ica € Am Ass(A) corresponds to a realizability statement i, a IF 
x in the realizability category (see [19]). The major difference between these 
categories is twofold: 1) In the realizability category, a computability constraint 
is imposed on e : A + A to achieve the characterization of P-time complexity. 2) 
Objects in the realizability category are limited to Arh Ass(A)-objects such that 
all f; share the common domain. This is to synchronize with the set-theoretic 
semantics ignoring resource polynomials [I9] Section 3] Section 3]. 

We compute the bounded !-modality using the folding product ILEC T with 
respect to the indexed SMCC (_) h Ass(A). Let F be a finite set of variables, 
x ¢ F bea resource variable, p be a resource polynomial and @ be a constraint 
set under F. For any object X in Veusy<p}(FU{v})hAss(A), the folding product 
T([v < pli), X%) is an object in V(F) h Ass(A) satisfying 


T([v < plore, X) i) 
= À(z0,** , L[ppi-1) - {40 @ +++ 8 ajpji-1 | az E€ X(i{v = j})(æ;)} (4.4) 


This is different from the modality over the realizability category introduced in 
[9] Definition 16] and [I0] Definition 4.6]: 


(lu<pX) (i) = Aa . {a0 @ +++ @ appyi-1 | aj E X(i{v > j})(x)}; 


it only takes a single argument. This is again because their realizability se- 
mantics is designed to synchronize with the set-theoretic semantics ignoring 
resource polynomials — especially it interprets [!,<,A] = [A]. On the other 
hand, the bounded quantification computed in does not ignore resource 
polynomials and indexing, as the domain of is the index-dependent prod- 
uct Į]; dom(X(i{v +> j})). From this, we conjecture that the semantics of BLL 
using the ILEC T over (_) h Ass(A) realizes an index-dependent set-theoretic 
semantics of BLL — we leave this semantics as a future work. 


5 Conclusion and Related Work 


We introduced GBLL, a generalization of Girard et al.’s BLL. We analyzed the 
complexity of cut-elimination in GBLL, and gave a translation from CBLL, an 
extension of BLL with constraints to GBAL*. We then introduced ILEC as a 
categorical structure for interpreting the !-modality of GBLL. The ILEC is a 
Idx-graded linear exponential comonad interacting well with a specified indexed 
SMCCs. We gave an elementary construction of ILEC using the folding product, 
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and a technique to derive its variants by inserting symmetric monoidal comonads. 
We gave the semantics of BLL using the folding product on the category of 
assemblies of a BCI-algebra, and related with the realizability category studied 
in [L9}10}. 

Girard’s BLL has a great influence on the subsequent development of indexed 
modalities and implicit complexity theory [16]. Hofmann and Scott introduced 
the realizability technique to BLL and semantically proved that BLL characterizes 
P-time complexity [19]. Their work was further enriched and studied by Dal Lago 
and Hofmann [I0]. Gaboardi combined the !-modality involving variable binding 
with PCF and showed that the combined system is relatively complete [24]. 

Bucciarelli and Ehrhard’s indexed linear logic with exponential [9] is one of 
the closest systems to GBLL. However, the type of the !-modality is different: 
their system derives A + !,A from A’ F A and an almost injective function 
f: A’ 5 A; it is a function where each f~1(7) is finite. To relate their system 
and GBLL, let us use the finite powerset construction Pan and convert f into 
its inverse f7! : A > Pg,(A’). This exhibits the similarity with GBLL: GBLL 
relaxes Pg, to (_)*, and takes the inverse as the parameter for the !-modality. 
The novelty of this work to [9] is that a categorical axiomatization for the ! f 
modality is identified as an extension of the graded linear exponential comonads 
[7122]. Another novelty is to show that GBLL is enough to encode BLL. 

As described in Section [I] the simple form of !-modality !,A is also widely 
used in various type systems and programming languages. Examples include: 
INTML [30], coeffect calculus and its combination with effect systems 
[13], Granule language [26], bounded linear type system [14]26], type systems 
for the analysis of higher-order model-checking [I8]17|, a generic BLL-like logic 
BsLL over semirings [6], Fuzz type system for function sensitivity and differential 
privacy PIMI], and many more. A combination of !,,A with dependent type 
theory called QTT is also introduced in and [4]. Among these systems, each 
of [[2[26[1] supports 1) full universal and existential, 2) full universal and 3) 
partial universal quantification over grades, respectively. 

The categorical structure corresponding to the simple form of !-modality ap- 
pears in [7J13[23] and is identified as semiring-graded linear exponential comonad. 
Breuvart constructed various examples of semiring-graded linear exponential 
comonads on relational models of linear logic [6] using his slicing technique. In 
this work we replaced semirings to Idx, which may be seen as a multi-object 
pseudo-semiring. In the study of graded monad, Orchard et al. generalize the 
grading structure from ordered monoids to 2-categories [27]. The main difference 
from this work is that their generalized graded monad is defined over a single 
category, while an ILEC is defined over an indexed SMCCs. 
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Abstract. The logic of Bunched Implications (BI) freely combines ad- 
ditive and multiplicative connectives, including implications; however, 
despite its well-studied proof theory, proof-search in BI has always been 
a difficult problem. The focusing principle is a restriction of the proof- 
search space that can capture various goal-directed proof-search proce- 
dures. In this paper we show that focused proof-search is complete for BI 
by first reformulating the traditional bunched sequent calculus using the 
simpler data-structure of nested sequents, following with a polarised and 
focused variant that we show is sound and complete via a cut-elimination 
argument. This establishes an operational semantics for focused proof- 
search in the logic of Bunched Implications. 


Keywords: Logic - Proof-search - Focusing - Bunched Implications. 


1 Introduction 


The Logic of Bunched Implications (BI) [31] is well-known for its applications 
in systems modelling [32], especially a particular theory (of a variant of BI) 
called Separation Logic [37,23] which has found industrial use in program ver- 
ification. In this work, we study an aspect of proof search in BI, relying on its 
well-developed and well-studied proof theory [33]. We show that a goal-directed 
proof-search procedure known as focused proof-search is complete; that is, if there 
is a proof then there is a focused one. Focused proofs are both interesting in the 
abstract, giving insight into the proof theory of the logic, and have (for other log- 
ics) been a useful modelling technology in applied settings. For example, focused 
proof-search forms an operational semantics of the DPLL SAT-solvers [14], logic 
programming [29,1,13,7], automated theorem provers [28], and has been success- 
ful in providing a meta-theoretic framework in intuitionistic, substructural, and 
modal logics [27,30,25]. 

Syntactically BI combines additive and multiplicative connectives, but un- 
like related logics such as Linear Logic (LL) [22], BI takes all the connectives as 
primitive. Indeed, it arose from a proof-theoretic investigation on the relation- 
ship between conjunction and implication. As a result, sequents in BI have a 
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more complicated structure: each implication comes with an associated context- 
former. Therefore, in BI contexts are not lists, nor multisets, but instead are 
bunches: binary trees whose leaves are formulas and internal nodes context- 
formers. Additive composition (T; A) admits the structural rules of weakening 
and contraction, whereas multiplicative composition (I, A) denies them. The 
principal technical challenges when studying proof-search in BI arise from the in- 
teraction between the additive and multiplicative fragments. We overcome these 
challenges by restricting the application of structural rules in the sequent calcu- 
lus LBI as well as working with a representation of bunches as nested multisets. 


Throughout we use the term sequent calculus in a strict sense; that is, mean- 
ing a label-free internal sequent calculus, formed in the case of BI by a context 
(a bunch) and a consequent (a formula). The term proof-search is consistently 
understood to be read as backward reduction within such a system. Although 
there is an extensive body of research on systems and procedures for semantics- 
based calculi in BI [19,20,16,17,18], there has been comparatively little formal 
study on proof-search in the strict sense. One exception is the completeness 
result for (unit-simple) uniform proofs [2] which is partially subsumed by the 
results herein. 


The focusing principle was introduced for Linear Logic [1] and is charac- 
terised by alternating focused and unfocused phases of goal-directed proof-search. 
The unfocused phase comprises rules which are safe to apply (i.e. rules where 
provability is invariant); conversely, the focused phase contains the reduction of 
a formula and its sub-formulas where potentially invalid sequents may arise, and 
backtracking may be required. During focused proof-search the unfocused phases 
are performed eagerly, followed by controlled goal-directed focused phases, until 
safe reductions are available again. We say that the focusing principle holds when 
every provable sequent has a focused proof. This alternation can be enforced by 
a mechanism based on a partition of the set of formulas into two classes, positive 
and negative, which correspond to safe behaviour on the left and right respec- 
tively; that is, for negative formulas provability is invariant with respect to the 
application of a right rule, and for positive formulas, of a left rule, but in the 
other cases the application may result in invalid sequents. 


The original proof of the focusing principle in Linear Logic was via long 
and tedious permutations of rules [1]. In this paper, we use for BI a different 
methodology, originally presented in [24], which has since been implemented in a 
variety of logics [25,5,6] and proof systems [13]. The method is as follows: given a 
sequent calculus, first one polarises the syntax according to the positive/negative 
behaviours; second, one gives a focused variation of the sequent calculus where 
the control flow of proof-search is managed by polarisation; third, one shows 
that this system admits cut (the only non-analytic rule); and, finally, one shows 
that in the presence of cut the original sequent calculus may be simulated in 
the focused one. When the polarised system is complete, the focusing principle 
holds. 


In LBI certain rules (the structural rules) have no natural placement in ei- 
ther the focused or the unfocused phases of proof-search. Thus, a design choice 
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must be made: to eliminate/constrain these rules, or to permit them without 
restriction. The first gives a stricter control proof-search regime, but the latter 
typically achieves a more well-behaved proof theoretic meta-theory. In this pa- 
per, we choose the former as our motivation is to study computational behaviour 
of proof-search in BI, the latter being recovered by familiar admissibility results. 
The only case where confinement is not possible is the exchange rule. In standard 
sequent calculi the exchange rule is made implicit by working with a more con- 
venient data-structure such as multisets as opposed to lists; however, the specific 
structure of bunches in BI means that a more complex alternative is required. 
The solution presented is to use nested multisets of two types (additive and 
multiplicative) corresponding to the two different context-formers/conjunctions. 

In Section 2 we present the logic of Bunched Implications; in particular, 
Section 2.1 and Section 2.2 contain the background on BI (the syntax and sequent 
calculus respectfully); meanwhile, Section 2.3 gives representation of bunches as 
nested multisets. Section 3 contains the focused system: first, in Section 3.1 we 
introduce the polarised syntax; second, in Section 3.2 we introduce the focused 
sequents calculus and some metatheory, most importantly the cut-admissibility 
result; finally, in Section 3.3 we give the completeness theorem, from which the 
validity of the focusing principle follows as a corollary. We conclude in Section 4 
with some further discussion and future directions. 


2 Re-presentations of BI 


2.1 Traditional Syntax 


The logic BI has a well-studied metatheory admitting familiar categorical, alge- 
braic, and truth-functional semantics which have the expected dualities 
[34,17,33,11,32]. In practice, it is the free combination (or, more precisely, the 
fibration [15,33]) of intuitionistic logic (IL) and the multiplicative fragment of 
intuitionistic linear logic (MILL), which imposes the presence of two distinct 
context-formers in its sequent presentation. That is to say, the two conjunctions 
A and * are represented at the meta-level by context-formers ; and , in place of 
the usual commas for IL and MILL respectively. 


Definition 1 (Formula). Let P be a denumerable set of propositional letters. 
The formulas of BI, denoted by small Greek letters (p,w,x,...), are defined by 
the following grammar, where A € P, 


gz=TI|LIT |AlYAX)IYVe)IY>¥) | g) | e ~ p) 
Ifo € {A,V,—>,T} then it is an additive connective and if o € {*,-*, T*} then 


it is a multiplicative connective. The set of all formulas is denoted F. 


Definition 2 (Bunch). A bunch is constructed from the following grammar, 
where yp € F, 
A= | 4 | 2x | (4:4) | (A, A) 


250 A. Gheorghiu and S. Marin 


The symbols @, and Ø, are the additive and multiplicative units respectively, 
and the symbols ; and , are the additive and multiplicative context-formers re- 
spectively. A bunch is basic if it is a formula, S4, or Sx and complex otherwise. 
The set of all bunches is denoted B, the set of complex bunches with additive root 
context-former by B*, and the set of complex bunches with multiplicative root 
context-former by B*. 


For two bunches A, A’ € B if A’ is a sub-tree of A, it is called a sub-bunch. We 
may use the standard notation A(A’) (despite its slight inpracticality) to denote 
that A’ is a sub-bunch of A, in which case A(A”) is the result of replacing the 
occurrence of A’ by A”. If 6 is a sub-bunch of A, then the context-former o is 
said to be its principal context-former in A(A’ o 6) (and A(ô o A’)). 


Example 3. Let p, y and x be formulas, and let A = (y, (x; 9+)); (Y; (Y; Øx )). 
The bunch may be written for example as A(y, (x;@+)) which means that we 


can have A(y; p) = (v; p); (Y; (Y; Sx). 


Definition 4 (Bunched Sequent). A bunched sequent is a pair of a bunch A, 
called the context, and a formula p, denoted A => y. 


Bunches are intended to be considered up-to coherent equivalence (=). It is the 
least relation satisfying: 


— Commutative monoid equations for ; with unit 3+, 

— Commutative monoid equations for , with unit Øx, 

— Congruence: if A’ = A” then A(A’) = A(A”). 
It will be useful to have a measure on sub-bunches which can identify their 
distance from the root node. 


Definition 5 (Rank). If A’ is a sub-bunch of A, then p(A’) is the number of 
alternations of additive and multiplicative context-formers between the principal 
context-former of A’, and the root context-former of A. 


Let A be a complex bunch, we use A’ € A to denote that A’ is a (proper) 
top-most sub-bunch; that is, A is a sub-bunch satisfying A 4 A’ but p(A’) = 0. 


Example 6. Let A be as in Example 3, then p(@+) = 2 whereas p(x) = 0; 
hence, Y, Sx and (y, (x, x)) € A. Consider the parse-tree of A: 


ra 
oS wo 

eS a 
X @ Y @ 


+ x 


Reading upward from Ø, one encounters first ; which changes into , and then 
back to ; so the rank is 2; whereas counting up from Øx one only encounters ; 
so the rank is 0. 
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al TR 
faa” Aep Beer Zor P 


Asp AA Wsx Aps 
AA’ A" p=) O Ayy 
Aly y)>x , Bae A >t r AX e 
Alpy) => x A,A => pep A(T*)>x * 


KR 


Aly; p) > x . Aso Ay o A) SEN = 
Alpa) +x A; A’ > gay A(T)+x ' 
A(y) =x AW?) > x A> A> y 
Alp Vy) =x - Aseve “ Asgve ™ 
=e AA YSx . Aysd : A(A’; A’) > x 
L 
A(S; A"; 9 > b) > x Ase >” A(A)Sx 
A(A’) > x A> x E Asy A(y)>x 
AA; Ax Ay OT A(A’) > x 


Fig. 1. Sequent Calculus LBI 


2.2 Sequent Calculus 


The proof theory of BI is well-developed including familiar Hilbert, natural de- 
duction, sequent calculi, tableaux systems, and display calculi [33,17,3]. In the 
foregoing we restrict attention to the sequent calculus as it more amenable to 
studying proof-search as computation, having local correctness while enjoying 
the completeness of analytic proofs. 


Definition 7 (System LBI). The bunched sequent calculus LBI is composed of 
the rules in Figure 1. 


The classification of A as additive may seem dubious upon reading the Ap rule, 
but the designation arises from the use of the structural rules; that is, the Ap 
and — R rules may be replaced by additive variants without loss of generality. 
The presentation in Figure 1 is as in [33] and simply highlights the nature of 
the additive and multiplicative context-formers. Nonetheless, the choice of rule 
does affect proof-search behaviours, and the consequences are discussed in more 
detailed in Section 3.1. 


Lemma 8 (Cut-elimination). If p has a LBl-proof, then it has a cut-free LBI- 
proof, i.e., a proof with no occurence of the cut rule. 


Throughout, unless specified otherwise, we take proof to mean cut-free proof. 
Moreover, if L is a sequent calculus we use F A > ọ to denote that there is an 
L-proof of A > y. Further, if R is a rule, then we may denote L + R to denote 
the sequent calculus combining the rules of L with R. 

The following result, that a generalised version of the axiom is derivable in 
LBI, will allow for such sequents to be used in proof-construction later on. 
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Lemma 9. For any formula y, fia Y => Y. 


Proof. Follows from induction on size of yp. 


The remainder of this section is the meta-theory required to control the 
structural rules, which pose the main issue to the study of proof-search in BI. 


Lemma 10. The following rules are derivable in LBI, and replacing W with 
them does not affect the completeness of the system. 


T'R T} 


/ 
AASA Bast A,S, 37 R 


Asp >y , Ae AA >x y 
(A, A); A" => pay È AAA (AM p *h))>x * 


Proof. We can construct in LBI derivations with the same premisses and con- 
clusion as these rules by use of the structural rules. Let LBI be LBI without 
W but with these new rules (retaining also *R, =, TR, Tr, and Ax), then W is 
admissible in LBI’ using standard permutation argument. 


One may regard the above modification to LBI as forming a new calculus, but 
since all the new rules are derivable it is really a restriction of the calculus, in the 
sense that all proofs in the new system have equivalent proofs in LBI differing 
only by explicitly including instances of weakening. 


2.3 Nested Calculus 


Originally, sequents in the calculi for classical and intuitionistic logics (LK and LJ, 
respectively) were introduced as lists, and a formal exchange rule was required to 
permute elements when needed for a logical rule to be applied [21]. However, in 
practice, the exchange rule is often suppressed, and contexts are simply presented 
as multisets of formulas. This reduces the number of steps/choices being made 
during proof-search without increasing the complexity of the underlying data 
structure. Bunches have considerably more structure than lists, but a quotient 
with respect to coherent equivalence can be made resulting in two-sorted nested 
multisets; this was first suggested in [12], though never formally realised. 


Definition 11 (Two-sorted Nest). Nests (I) are formulas or multisets, as- 
cribed either additive (X), or multiplicative (IT) kind, containing nests of the 
opposite kind: 


P:= S| S:= | (h,..., Tn}+ Mi= | {21,..., Ln}x 


The constructors are multiset constructors which may be empty in which case 
the nests are denoted Ø, and Øx respectively. No multiset is a singleton; and 
the set of all nests is denoted B/=. 
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Given nests A and I’, we write A € I’ to denote either that A= T, if [isa 
formula, or that A is an element of the multiset I otherwise. Furthermore, we 
write A C I to denote Vy € B;= if y € A then y E r. 

We will depart from the standard, yet impractical subbunch notation, and 
adopt a context notation for nests instead. We write T{-}4 (resp. T{-}x) for a 
nest with a hole within one of its additive (resp. multiplicative) multisets. The 
notation T{4}+ (resp. T{4}x), denotes that A is a sub-nest of I of additive 
(resp. multiplicative) kind; we may use {A} when the kind is not specified. 
In either case ['{A’} denotes the substitution of A for A’. A promotion in the 
syntax tree may be required after a substitution either to handle a singleton or 
an improper alternation of constructor types. 


Example 12. The following inclusions are valid, 


{p,x}x € [{e xdod} 2 {vx hot b Bx J =T{{p,x}x}+ 


It follow that '{{y, phi}. = {9,p, Y, Y, Øx }4. Note the absence of the 
{-}+ constructor after substitution, this is due to a promotion in the syntax 
tree to avoid having two nested additive constructors. Similarly, since Øx de- 
notes the empty multiset of multiplicative kind, substituting x with it gives 
{y, Y, Y, Øx }4; that is, first the improper {y, 3x}, becomes {py} x; then, the 
resulting singleton {vy}, is promoted to y. 


Typically we will only be interested in fragments of sub-nests so we have the 
following abuse of notation, where o € {+, x}: 


I{{ih, easy Estes Hepi saj In te = I{in, seg Tla Yo 
The notion of rank has a natural analogue in this setting. 


Definition 13 (Depth, Rank). Leto € {+, x} be a nest, we define the depth 
on B as follows: 


d(y) := 0 ÒI,- Tn}o) := max{ (Ti), ...,0(Tn)} +1 


The equivalence of the two presentations, bunches and nests, follows from a 
moral (in the sense that bunches are intended to be considered modulo congru- 
ence) inverse between a nestifying function 7 and a bunching function 3. The 
transformation £ is simply going from a tree with arbitrary branching to a binary 
one, and 77 is the reverse. 


Definition 14 (Canonical Translation). The canonical translation n : B > 
B/= is defined recursively as follows, 


A if AC FU{G1, Øx} 
n(A) := $ {n(A’) € B/=| p(A’) = 1 and A’ E€ BX}, ifAe Br 


{n(A’) € B/= | p(A’) =1 and A’ E€ Bt}, if Ae B* 
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The canonical translation B : B/= —> B is defined recursively as follows, 


r if rT EFU{Ø41, Øx} 
B(T) = 4 BU); (802); -) if P = {1h, M, ...}4 
BC), (B(%),...) if T = {54, Ho, ob x 


Example 15. Applying 7 to the bunch in Example 3 gives the nest in Example 12: 


Lemma 16. The translations are inverses up-to congruence; that is, 
1. if AEB then (Bo n)(A) = A; 


2. if I € B/s then (no B)(L) =T; 
3. let A, A’ € B, then A= A’ if and only if n(A) = 7(d’). 


Proof. The first two statements follow by induction on the depth (either for 
bunches or nests), where one must take care to consider the case of a context 
consisting entirely of units. The third statement employs the first in the forward 
direction, and proceeds by induction on depth in the reverse direction. 


Definition 17 (System 7LBI). The nested sequent calculus nLBI is composed 
of the rules in Figure 2, where the metavariables denote possibly empty nests. 


Observe the use of metavariable I” instead of IT (resp. X) as sub-contexts in 
Figure 2. This allows classes of inferences such as 
{Dopet =>) {Digi +s Un bx =>) a 
{Xo, Haay Znz = p x w 


to be captured by a single figure. In practice it implements the abuse of notation 
given above: 
{{20, 4) Xi} xs {Lisi nj] > ee y 


This system is a new and very convenient presentation of LBI, not per se a 
development of the proof theory for the logic. 


Lemma 18 (Soundness and Completeness of nLBI). Systems LBI and 7LBI 
are equivalent: 


Soundness: If Fygi IT => y then Figi B(T) > g; 
Completeness: If Figi A > y then Fygi n(A) > g. 


Proof. Each claim follows by induction on the context, appealing to Lemma 
16 to organise the data structure for the induction hypothesis, without loss of 
generality. 
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Fig. 2. Sequent Calculus 7LBI 


Example 19. The following is a proof in 7LBI. 


A Ax = 
AsA™ {B,C}+>B B,C}, > C A 


{A {B,0}]x > A¥B 43a BACO po 
{A, (BAC)}x > A*B {A, (BAC)}x > Ax C 

{A, (BAC)}x > AFB AAC) ii 

Ax(BAC)=>(A*B)A(Ax0) 

By > (A: (BAC) = (A: B) (AC) 


L 


XR 


We expect no obvious difficulty in studying focused proof-search with bunches 
instead of nested multisets; the design choice is simply to reduce the complexity 
of the argument by pushing all uses of exchange (E) to Lemma 18, rather than 
tackle it at the same time as focusing itself. In particular, working without 
the nested system would mean working with a weaker notion of focusing since 
the exchange rule must then be permissible during both focused and unfocused 
phases of reduction. 


3 A Focused System 


At no point in this section will we refer to bunches, thus the variable A, so far 
reserved for elements of B, is re-appropriated as an alternative to I. 


3.1 Polarisation 


Polarity in the focusing principle is determined by the invariance of provability 
under application of a rule, that is, by the proof rules themselves. One way the 
distinction between positive and negative connectives is apparent is when their 
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rule behave either synchronously or asynchronously. For example, the *g and -*, 
highlight the synchronous behaviour of the multiplicative connectives since the 
structure of the context affects the applicability of the rule. Displaying such a 
synchronous behaviour on the left makes -* a negative connective, while having 
it on the right makes * a positive connective. 

Another way to characterise the polarity of a connective is the study of 
the inveribility properties of the corresponding rules. For example, consider the 
inverses of the V, rule, 


PeVvvy>x on PieVvy>x iw 
r{ypy>x "H P{yysox P 


They are derivable in LBI with cut (below — the left branch being closed using 
Lemma 9) and therefore admissible in LBI without cut (by Lemma 8). 


LZ? _ W bay 
p= pyy ELEN ut Y= pyy AEN Ved 
{pt} =x T{y}=>x 


VR 


ut 


This means that provability is invariant in general upon application of Vų since 
it can always be reverted if needed, as follows 


Tov pl =x a L{yeVvv} sx iw 
rp >x "=" Tex, ” 
VL 

T{pvy}>x 


Note however that dual connectives do not necessarily have dual behaviours 
in terms of provability invariance, on the left and on the right. For example, 
consider all the possible rules for ^A, of which some qualify as positive and others 
as positive. 


Mej>=x —_ Tiy} >x a Tso Pow 

ripAvysx "€ F{eayysx 2 P=>payp `R 
Tip Yj} > x 4 r= Tpx 4 
Tpnyp}=>xy t {M,A} S> pay i 


All of these rules are sound, and replacing the conjunction rules in LBI with 
any pair of a left and right rule will result in a sound and complete system. 
Indeed, the rules are inter-derivable when the structural rules are present, but 
otherwise they can be paired to form two sets of rules which have essentially 
different proof-search behaviours. That is, the rules in the top-row make ^ neg- 
ative while the bottom row make ^ positive. Each conjunction also comes with 
an associated unit, that is, T7 for negative conjunctio and T+ for positive con- 
junction. We choose to add all of them to our system in order to have access to 
those different proof search behaviours at will. 

Finally, the polarity of the propositional letters can be assigned arbitrarily 
as long as only once for each. 
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Definition 20 (Polarised Syntax). Let P+ U PT be a partition of P, and let 
At € P% and A` € P7, then the polarised formulas are defined by the following 
grammar, 


POsz=L\P¥O|PeO iP OIT IT jL L:=}N | At 
N,M == R| P> N| P= N| NN MIT Ru=tP A 
The set of positive formulas P is denoted Ft; the set of negative formulas N 


is denoted F~; and the set of all polarised formulas is denoted F=. The sub- 
classifications L and R are left-neutral and right-neutral formulas respectfully. 


The shift operators have no logical meaning; they simply mediate the exchange 
of polarity, and thus the shifting into a new phase of proof-search. Consequently, 
to reduces cases in subsequent proofs, we will consider formulas of the form *{.N 
and {tP, but not JNN, JNTP, ete. 


Definition 21 (Depolarisation). Leto € {V,*«,—,-*}, and let At € P* and 
A- € P7, then the depolarisation function |-| : F* — F is defined as follows: 


= 1 a ee T =" 
~j:=A Ite] := Nel = Ly] 
p]o ly] Lp Aty] := [pa Y] = lel ALY] 


Since proof-search is controlled by polarity, the construction of sequents in the 
focused system must be handled carefully to avoid ambiguity. 


Definition 22 (Polarised Sequents). Positive and neutral nests, denoted by 
I and T resp., are defined according to the following grammars 


=X | I := P | {ih,..., Hn }+ IT = P | Day ny Mea bye 


RT Sa 3 = Pilea dale, M204 hie. Sly 


A pair of a polarised nest and a polarised formula is a polarised sequent if it 
falls into one of the following cases 


ron | fo@ | PNJ eR 


The decoration (vy) indicates that the formula is in focus; that is, it is a positive 
formula on the right, or a negative formula on the left. Of the three possible 
cases for well-formed polarised sequents, the first may be called unfocused, with 
the particular case of being neutral when of the form T = R; and the latter 
two may be called focused. 


Definition 23 (Depolarised Nest). The depolarisation map extends to po- 
larised nests |-| : B/=* — B/= as follows: 


{I, oydin fe] = {Zh}, siig [IMn] fe [{%, seda Xn}x] _ {lahs [Yn x 
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Focused 
i 


Takhe ” a AaS T 


Te 


Pho (P (RIN SNN Tah >T) 
TUND >R . Farm TwISR 

TUNA op." T = (P, V Px) a TUTI SR 
Taw T's Asp) Tia, Ny} +R 
{TT}, > (PAQ) Ne T{A, (P34 MNR 


T(P) T’>(Q) . As(P) T{A(n)}, >R . 
MP, Pty, Fe > (Ped) P(A, A fA" (P >N JR 
Neutral 


T = (P) T{P} SR Tan TUN} SR 
TstP ` Fupyor T = (WN) i TUN} => R 
PUA AL} => RB 
T{Í} >R 


Unfocused 


A 
rst ® mis n `" 


r>N r>M , T{P}>N_T{Q}>N 
r>Na-M °>’ T{PVQ} >N 
TUP QHISN 4 {LPH >N ' Pe oe es 
{PA QN ' TSPoN ™ rett}ysn ¢ 
PUP Qt SN  {L,P}x oN P{Ox}>N a 
T{P*Q}3N  TSP#*N ®© Tyson + 


Fig. 3. System fBl 


3.2 Focused Calculus 


We may now give the focused system. That is, the operational semantics for 
focused proof-search in LBI. All the rules, with the exception of P and N, are 
polarised versions of the rules from 7LBI. 


Definition 24 (System fBl). The focused system fBl is composed of the rules 
on Figure 3. 


Note the absence of a cut-rule, this is because the above system is intended 
to encapsulate precisely focused proof-search. Below we show that a cut-rule is 
indeed admissible, but proofs in fBl+ cut are not necessarily focused themselves. 
Here the distinction between the methodologies for establishing the focusing 
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principle becomes present since one may show completeness without leaving fBl 
by a permutation argument instead of a cut-elimination one. 

The P and N rules will allow us to move a formula from one side to another 
during the proof of the completeness of fBI + cut (Lemma 34).The depolarised 
version are not directly present in LBI, but are derivable in LBI (Lemma 9). 
However, the way they are focused renders them not provable in fBI because it 
forces one to begin with a potentially bad choice; for example, AV B> AV B 
has no proof beginning with Vr. In practice, they are a feature rather than a 
bug since they allow one to terminate proof-search early, without unnecessary 
further expansion of the axiom. In related works, such as [6,5], the analogous 
rules are eliminated by initially working with a weaker notion of focused proof- 
search, and it is reasonable to suppose that the same may be true for BI. We 
leave this to future investigation. 

Note also that, although it is perhaps proof-theoretically displeasing to in- 
corporate weakening into the operational rules as in =| and *p, it has good com- 
putational behaviour during focused proof-search since the reduction of y -* p 
can only arise out of an explicit choice made earlier in the computation. 

Soundness follows immediately from the depolarisation map; that is, the 
interpretation of polarised sequents as nested sequents, and hence proofs in fBl 
actually are focused proofs in 7LBI. 


Theorem 25 (Soundness of fBl). Let I be a polarised nest and N a negative 
formula. If Fra => N then Fygi |T] > [N] 


Proof. Every rule in fBl except the shift rules, as well as the P and N axioms, 
become a rule in 7BI when the antecedent(s) and consequent are depolarised. 
Instance of the shift rule can be ignored since the depolarised versions of the 
consequent and antecedents are the same. Finally, the depolarised versions of P 
and N follow from Lemma 9 with the use of some weakening. 


Example 26. Consider the following proof in fBl, we suppose here that proposi- 
tional letters A and C are negative, but B is positive. 


igsa™ 
TETA 7 
Msi Boe CEE 
(A, B}x > (A= B) ri msa OBNO SC : 
{{A, B}, > tA» B) R {ASA i IBA C) Ss C 3 
QA, (tB)}x >t4A*B) © A> UA © BAT O)} = WO) 
{LA, (TB Aq C)}x = TA * B) i w PAQEN O= AA ns 
LA LOBA C)}x > TA*B) © HA MTB AT C)}x = TGA #10) 5 
{LA (TB AW C)}x => TWA * B) AT TUA*IC) | i 


Ax ITB Aq C) >tUA*B) A TUA*]0) 
By > (JA* I(B AW C)) = (MHA * B)A~ TUA* 10) 


XR 


It is a focused version of the proof given in Example 19. Observe that the only 
non-deterministic choices are which formula to focus on, such as in steps (1) and 
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(2), where different choices have been made for the sake of demonstration. The 
point of focusing is that only at such points do choices that affect termination 
occur. The assignment of polarity to the propositional letters is what forced 
the shape of the proof; for example, if B had been negative the above would 
not have been well-formed. This phenomenon is standarly observed in focused 
systems (e.g. [7]). 


We now introduce the tool which will allow us to show that if there is a proof 
of a sequent (a priori unstructured), then there is necessarily a focused one. 


Definition 27. All instances of the following rule where the sequents are well- 
formed are instances of cut, where Zi denotes that y is possibly prenexed with 
an additional shift 
A= T{g}>x 
{A} >x 


cut 


Admissibility follows from the usual argument, but within the focused system; 
that is, through the upward permutation of cuts until they are eliminated in the 
axioms or are reduced in some other measure. 


Definition 28 (Good and Bad Cuts). Let D be a fBI + cut proof, a cut is a 
quadruple (L, R,C, p) where L and R are the premises to a cut rule, concluding 
C in D, and ¢ is the cut-formula. They are classified as follows: 


Good - If p is principal in both L and R. 
Bad - If p is not principal in one of L and R. 
Type 1: If p is not principal in £. 
Type 2: If p is not principal in R. 


Definition 29 (Cut Ordering). The cut-rank of a cut (L, R,C, p) in a proof 
is the triple (cut-complexity, cut-duplicity, cut-level), where the cut-complezxity is 
the size of p, the cut-duplicity is the number of contraction instances above the 
cut, the cut-level is the sum of the heights of the sub-proofs concluding L and R. 

Let D and D' be two fBI + cut proofs, let o and o' denote their multiset of 
cuts respectively. Proofs are ordered by D < D! <= > o <a’, where < is the 
multiset ordering derived from the lexicographic ordering on cut-rank. 


It follows from a result in [10] that the ordering on proofs is a well-order, since 
the ordering on cuts is a well-order. 


Lemma 30 (Good Cuts Elimination). Let D be a fBl+cut proof of S; there 
is a fBI + cut proof D' of S containing no good cuts such that D' < D. 


Proof. Let D be as in hypothesis, if it contains no good cuts then D = D’ gives 
the desired proof. Otherwise, there is at least one good cut (L, R,C, p). Let ô be 
the sub-proof in D concluding C, then there is a transformation 0 ++ 0! where 
0’ is a fBI + cut proof of S with 0’ < ð such that the multiset of good cuts in 
0’ is smaller (with respect to <) than the multiset of good cuts in 0. Since < 
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is a well-order indefinitely replacing 0 with 0’ in D for various cuts yields the 
desired D’. 

The key step is that a cut of a certain cut-complexity is replaced by cuts of 
lower cut-complexity, possibly increasing the cut-duplicity or cut-level of other 
cuts in the proof, but not modifying their complexity. 

Ax" Tat $ 
iT At} > (A+) TY{At} = (A+) {4t} => (4+) 
TUT et PUP j 
{{1", At}, } = (A+) > HP At} } = (A+) 


{A P}x >N A=(P \ r{A’(N N)}x > R 
A” PN o A T R 
TA, A’ {2", "h> R i 
(an, Pik, SN TAIN}, oR 
4 (P) PAA Pek 
T{A, AA, SR 


e Tia.a {A a), oR 


We denote by a double-line the fact that we do not actually use a weakening, 
but only the fact that it is admissible in fBI by construction (Lemma 10). 


Lemma 31 (Bad Cuts Elimination). Let D be a fBI + cut proof of S that 
contains only one cut which is bad, then there is a FBI + cut proof D' of S such 
that D' < D. 


Proof. Without loss of generality suppose the cut is the last inference in the 
proof, then it may be replaced by other cuts whose cut-level or cut-duplicity is 
smaller, but with same cut-complexity. 

First we consider bad cuts when £ and R are both axioms. There are no 
Type 1 bad cuts on axioms as the formula is always principal, meanwhile the 
Type 2 bad cuts can trivially be permuted upwards or ignored; for example, 


A= (P y TYLA (N N)}x > R 
{A Ay} > (Ag) t HA a’ a Ay, (P*N)}4}x > R 
T{A, A’ - Å" A, (Pœ Nha}, 3R 


A => ( \ TAN N)}x >R 
T{A, A’ oe Pœ N)}}x>R 
=> TA, A {2", Å", A}, (P = Na} x >R 
Here again we are using an appropriate version of Lemma 10. 


For the remaining cases the cuts are commutative in the sense that they may 
be permuted upward thereby reducing the cut-level. An example is given below. 


Å{(N:)} > M A{(Ni)}>M I{M}>R 
ÅN Ag Na} > M " Puy sR oe PAN) >R 


TÅN A No)}} SR 4 MANA NPS RY 


cut 
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The exceptional case is the interaction with contraction where the cut is re- 
placed by cuts of possibly equal cut-level, but cut-duplicity decreases. 
TUŽI A SB 
A’ = (L) TAS R 


T{A{A}} > R 
Ar (ty) TAL}, ÅR 
A’ = (L) Fa HAL} +R 
PAA}, AIA} R o 
= TLA{A}} >R 


Theorem 32 (Cut-elimination in fBl). Let I be a positive nest and N a 
negative formula. Then, Keg, => N if and only if Ftgeiycu T > N. 


Proof. (=) Trivial as any fBl-proof is a fBI + cut-proof. (<=) Let D be a fBI + 
cut-proof of l = N, if it has no cuts then it is a fBl-proof so we are done. 
Otherwise, there is at least one cut, and we proceed by well-founded induction 
on the ordering of proofs and sub-proofs of D with respect to <. 

Base Case. Assume D is minimal with respect to < with at least one cut; 
without loss of generality, by Lemma 30, assume the cut is bad. It follows from 
Lemma 31 that there is a proof strictly smaller in <-ordering, but this proof 
must be cut-free as D is minimal. 

Inductive Step. Let D be as in the hypothesis, then by Lemma 30 there 
is a proof 0 of I > N containing no good cuts such that D' < D. Either D’ 
is cut-free and we are done, or it contains bad cuts. Consider the topmost cut, 
and denote the sub-proof by ð, it follows from Lemma 31 that there is a proof 
0’ of the same sequent such that 0’ < ð. Hence, by inductive hypothesis, there 
is a cut-free proof the sequent and replacing ð by this proof in D gives a proof 
of I’ => ọ strictly smaller in <-ordering, thus by inductive hypothesis there is a 
cut-free proof as required. 


3.3 Completeness of fBl 


The completeness theorem of the focused system, the operational semantics, is 
with respect to an interpretation (i.e. a polarisation). Indeed, any polarisation 
may be considered; for example, both (|A~*BT)At{A7~ and |(At*|B7)At AT 
are correct polarised versions of the formulas (A » B) A A. Taking arbitrary y 
the process is as follows: first, fix a polarised syntax (i.e. a partition of the 
propositional letters into positive and negative sets), then assign a polarity to y 
with the following steps: 


— If y is a propositional atom, it must be polarised by default; 

— If y = T, then choose polarisation Tt or T7; 

— If y = yı AY», first polarise pı and Y2, then choose an additive conjunction 
and combine accordingly, using shifts to ensure the formula is well-formed; 
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— If p= %1 0 %2 where o € {x, =, >, V}, then polarise %ı and Y> and combine 
with o accordingly, using shifts where necessary. 


Example 33. Suppose A is negative and B is positive, then (A » B) A A may 
be polarised by choosing the additive conjunction to be positive resulting in 
({A* B)At LA (when |(A * |B) A* A) would not be well-formed). Choosing to 
shift one can ascribe a negative polarisation t(({A * B) At JA). 


The above generates the set of all such polarised formulas when all possible 
choices are explored. The free assignment of polarity to formulas means several 
distinct focusing procedures are captured by the completeness theorem. 


Lemma 34 (Completeness of fBl+ cut). For any unfocused sequent IT >N, 
if FnLBI IE = N] then FfBi+cut T&N: 


Proof. We show that every rule in 7LBI is derivable in fBI + cut, consequently 
every proof in 7LBI may be simulated; hence, every provable sequent has a 
focused proof. For unfocused rules +R, =R, Ar; Ars Vis *L, LL, TR, Tisi this 
is immediate; as well as for Ax and C. Below we give an example on how to 
simulate a focused rule. 

Where it does not matter (e.g. in the case of inactive nests), we do not dis- 
tinguish the polarised and unpolarised versions; each of the simulations can be 
closed thanks to the presence of the P and N rules in fBI. 


r= A>w Ja 
{H{T,4}x, A}, > peu in 7LBI is simulated in fBI + cut by 
etsy? Tet s@ - 
T = tyt A= tyt {tet tu} x. A+ = (et ev) 
P= (viet) A= (tyr) * tite eth A} = tet dt) 
{PA}. => (tot = tet) {tet «tut, A'J => tet * yt) 
(T, A} x, A}, > tot yT) 


cut 


Theorem 35 (Completeness of fBl). For any unfocused [ => N, if Fei 
FSN] then Fegi r >N. 


Proof. It follows from Lemma 34 that there is a proof of => N in fBI + cut, 
and then it follows from Lemma 32 that there is a proof of lr => N in fBI. 


Given an arbitrary sequent the above theorem guarantees the existence of a 
focused proof, thus the focusing principle holds for nLBI and therefore for LBI. 


4 Conclusion 


By proving the completeness of a focused sequent calculus for the logic of 
Bunched Implications, we have demonstrated that it satisfies the focusing prin- 
ciple; that is, any polarisation of a BI-provable sequent can be proved following a 
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focused search procedure. This required a careful analysis of how to restrict the 
usage of structural rules. In particular, we had to fully develop the congruence- 
invariant representation of bunches as nested multisets (originally proposed in 
[12]) to treat the exchange rule within bunched structures. 


Proof-theoretically the completeness of the focused systems suggests a syn- 
tactic orderliness of LBI, though the P and N rules leave something to be desired. 
Computationally, these axioms are unproblematic as during search it makes sense 
to terminate a branch as soon as possible; however, unless they may be elim- 
inated it means that the focusing principle holds in BI only up to a point. In 
related works (c.f. [6]) the analogous problem is overcome by first considering a 
weak focused system; that is, one where the structural rules are not controlled 
and unfocused rules may be performed inside focused phases if desired. Com- 
pleteness of (strong) focusing is achieved by appealing to a synthetic system. It 
seems reasonable to suppose the same can be done for BI, resulting in a more 
proof-theoretically satisfactory focused calculus, exploring this possibility is a 
natural extension of the work on fBIl. 


The methodology employed for proving the focusing principle can be in- 
terpreted as soundness and completeness of an operational semantics for goal- 
directed search. The robustness of this technique is demonstrated by its efficacy 
in modal [6,5] and substructural logics [26], including now bunched ones. Al- 
though BI may be the most employed bunched logic, there are a number of 
others, such as the family of relevant logics [36], and the family of bunched log- 
ics [11], for which the focusing principle should be studied. However, without the 
presence of a cut-free sequent calculus goal-directed search becomes unclear, and 
currently such calculi do not exist for the two main variants of BI: Boolean BI 
[33] and Classical BI [4]. On the other hand, large families of bunched and sub- 
structural logics have been given hypersequent calculi [8,9]. Effective proof-search 
procedures have been established for the hypersequent calculi in the substruc- 
tural case [35], but not the bunched one, and focused proof-search for neither. 
There is a technical challenge in focusing these systems as one must not only 
decide which formula to reduce, but also which sequent. 


In the future it will be especially interesting to see how focused search, when 
combined with the expressiveness of BI, increases its modelling capabilities. In- 
deed, the dynamics of proof-search can be used to represent models of compu- 
tation within (propositional) logics; for example, the undecidability of Linear 
Logic involves simulating two-counter machines [26]. One particularly interest- 
ing direction is to see how focused proof-search in BI may prove valuable within 
the context of Separation Logic. Focused systems in particular have been used to 
emulate proofs for other logics [27]; and to give structural operational semantics 
for systems used in industry, such as algorithms for solving constraint satisfac- 
tion problems [14]. A more immediate possibility though is the formulation of 
a theorem prover; we leave providing specific implementation or benchmarks to 
future research. 
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Abstract. In this paper, the theory of McCarthy’s extensional arrays 
enriched with a maxdiff operation (this operation returns the biggest 
index where two given arrays differ) is proposed. It is known from the 
literature that a diff operation is required for the theory of arrays in 
order to enjoy the Craig interpolation property at the quantifier-free 
level. However, the diff operation introduced in the literature is merely 
instrumental to this purpose and has only a purely formal meaning (it 
is obtained from the Skolemization of the extensionality axiom). Our 
maxdiff operation significantly increases the level of expressivity; how- 
ever, obtaining interpolation results for the resulting theory becomes a 
surprisingly hard task. We obtain such results via a thorough semantic 
analysis of the models of the theory and of their amalgamation proper- 
ties. The results are modular with respect to the index theory and it is 
shown how to convert them into concrete interpolation algorithms via a 
hierarchical approach. 


Keywords: Interpolation - Arrays - Amalgamation - SMT 


1 Introduction 


Since McMillan’s seminal papers [31,32], interpolation has been successfully ap- 
plied in software model checking, also in combination with orthogonal techniques 
like PDR [38] or k-induction [29]. The reason why interpolation techniques are so 
attractive is because they allow to discover in a completely automatic way new 
atoms (improperly often called ‘predicates’) that might contribute to the con- 
struction of invariants. In fact, software model-checking problems are typically 
infinite state, so invariant synthesis may require introducing formulae whose 
search is not finitely bounded. One way to discover them is to analyze spurious 
error traces; for instance, if the system under examination (described by a tran- 
sition formula Tr(a, 2’)) cannot reach in n-step an error configuration in U (a) 
starting from an initial configuration in In(a), this means that the formula 


In(ao) A Tr(a, 21) A++ A Tr (ap 15 2n) AU (2n) 
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is inconsistent (modulo a suitable theory T). From the inconsistency proof, by 
computing an interpolant, say at the i-th iteration, one can produce a formula 
(a) such that, modulo T, we have 


n 


In(zo)^ N Tr(zj-1:2;) = olz) and olz) A N Trejo gz) AU) H L 
j=0 


j=i+1 
(1) 
This formula (and the atoms it contains) can contribute to the refinement of the 
current candidate loop invariant guaranteeing safey. This fact can be exploited in 
very different ways during invariant search, depending on the various techniques 
employed. It should be noticed however that interpolants are not unique and that 
different interpolation algorithms may return interpolants of different quality: all 
interpolants restrict search, but not all of them might be conclusive. 

This new application of interpolation is different from the role of interpolants 
for analyzing proof theories of various logics starting with the pioneering works 
of [15,24,34]. It should be said however that Craig interpolation theorem in first 
order logic does not give by itself any information on the shape the interpolant 
can have when a specific theory is involved. Nevertheless, this is crucial for the 
applications: when we extract an interpolant from a trace like (1), we are typ- 
ically handling a theory which might be undecidable, but whose quantifier-free 
fragment is decidable for satisfiability (usually within a somewhat ‘reasonable’ 
computational complexity). Thus, it is desirable (although not always possible) 
that the interpolant is quantifier-free, a fact which is not guaranteed in the gen- 
eral case. This is why a lot of effort has been made in analyzing quantifier-free 
interpolation, also exploiting its connection to semantic properties like amalga- 
mation and strong amalgamation (see [9] for comprehensive results in the area). 

The specific theories we want to analyze in this paper are variants of Mc- 
Carthy’s theory of arrays [30] with extensionality (see Section 3 below for a de- 
tailed description). The main operations considered in this theory are the write 
operation (i.e. the array update) and the read operation (i.e., the access to the 
content of an array cell). As such, this theory is suitable to formalize programs 
over arrays, like standard copying, comparing, searching, sorting, etc. functions; 
verification problems of this kind are collected in the SV-COMP benchmarks cat- 
egory “ReachSafety-Arrays”*, where safety verification tasks involving arrays of 
finite but unknown length are considered. 

By itself, the theory of arrays with extensionality does not have quantifier 
free interpolation [28]°; however, in [8] it was shown that quantifier-free interpo- 
lation is restored if one enriches the language with a binary function skolemizing 
the extensionality axiom (the result was confirmed - via different interpolation 
algorithms - in [23,37]). Such a Skolem function, applied to two array variables 


* https: //sv-comp.sosy-lab.org/2020/benchmarks.php 

5 This is the counterexample (due to R. Jhala): the formula x = wr(y,i,e) is incon- 
sistent with the formula rd(x, j) 4 rd(y,j) A rd(a,k) A rd(y,k) Aj # k, but all 
possible interpolants require quantifiers to be written (with diff symbols, instead, it 
is possible to write down an interpolant without quantifiers, as shown in [8]). 
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a,b, returns an index diff(a,b) where a,b differ (it returns an arbitrary value 
if a is equal to b). This semantics for the diff operation is very undetermined 
and does not have a significant interpretation in concrete programs. That is why 
we propose to modify it in order to give it a defined and natural meaning: we 
ask for diff(a,b) to return the biggest index where a,b differ (in case a = b 
we ask for diff(a,b) to be the minimum index 0). Since it is natural to view 
arrays as functions defined on initial intervals of the nonnegative integers, this 
choice has a clear semantic motivation. The expressive power of the theory of 
arrays so enriched becomes bigger: for instance, if we also add to the language a 
constant symbol e for the undefined array constantly equal to some ‘undefined’ 
value L (where L is meant to be different from the values a[i] actually in use), 
then we can define |a| as diff(a, €). In this way we can model the fact that a 
is undefined outside the interval [0,|a|] - this is useful to formalize the above 
mentioned SV-COMP benchmarks. 

The effectiveness of quantifier-free interpolation in the theory of arrays with 
maxdiff is exemplified in the simple example of Figure 1: the invariant certifying 
the assert in line 7 of the St rcpy algorithm can be obtained taking a suitable 
quantifier-free interpolant out of the spurious trace (1) already for n = 2. In 
more realistic examples, as witnessed by current research [2,3,4,5,16,22,25,13], it 
is quite clear that useful invariants require universal quantifiers to be expressed 
and if undecidable fragments are invaded, incomplete solvers must be used. How- 
ever, even in such circumstances, quantifier-free interpolation does not lose its 
interest: for instance, the tool BOOSTER [5]® synthesizes universally quantified 
invariants out of quantifer-free interpolants (quantifier-free interpolation prob- 
lems are generated by negating and skolemizing universally quantified formulae 
arising during invariants search, see [4] for details). 


int a[N]; 

int b[N]; 

int I=0; 
while I < N do 


= all]; an. 


assert(a = b); 


T N-1A|b| = N-1AN > 0 
28 T) = f2NArSItiAd’ = 
weld, I, rd(a,1)) 
aXxbAI=N 


No oat WN eR 


Fig. 1. Strcpy function: code and associated transition system (with program counter 
missed in the latter for simplicity). 
Loop invariant: a = b V (N > diff(a,b) A diff(a,b) > I). 


Proving that the theory of arrays with the above ‘maxdiff’ operation en- 
joys quantifier-free interpolation revealed to be a surprisingly difficult task. In 


6 BOOSTER is no longer maintained, however it is still referred to in current experi- 
mental evaluations [16,13]. 
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the end, the interpolation algorithm we obtain resembles the interpolation al- 
gorithms generated via the hierarchic locality techniques introduced in [35,36] 
and employed also in [37]; however, its correctness, completeness and termi- 
nation proofs require a large détour going through non-trivial model-theoretic 
arguments (these arguments do not substantially simplify adopting the complex 
framework of ‘amalgamation closures’ and ‘W-separability’ of [37], and that is 
the reason why we preferred to supply direct proofs). 

This paper concentrates on theoretical and methodological results, rather 
than on experimental aspects. It is almost completely dedicated to the correct- 
ness and completeness poof of our interpolation algorithm: in Subsection 3.1 we 
summarize our proof plan and supply basic intuitions. The paper is structured 
as follows: in Section 2 we recall some background, in Section 3 we introduce 
our theory of arrays with maxdiff; Sections 4 and 5 supply the semantic proof 
of the amalgamation theorem; Sections 6 and 7 are dedicated to the algorith- 
mic aspects, whereas Section 8 analyzes complexity for the restricted case where 
indexes are constrained by the theory of total orders. In the final Section 9, 
we mention some still open problems. The main results in the paper are Theo- 
rems 2,4,5: for space reasons, all proofs of these theorems will be only sketched, 
full details are nevertheless supplied in the online available extended version [21]. 
This extended version contains additional material on complexity analysis and 
implementation. It contains also a proof about nonexistence of uniform inter- 
polants (see [26,27,20,10,11,12] for the definition and more information on uni- 
form interpolants). 


2 Formal Preliminaries 


We assume the usual syntactic (e.g., signature, variable, term, atom, literal, 
formula, and sentence) and semantic (e.g., structure, sub-structure, truth, sat- 
isfability, and validity) notions of (possibly many-sorted) first-order logic. The 
equality symbol “=” is included in all signatures considered below. Notations 
like E(x) mean that the expression (term, literal, formula, etc.) E contains free 
variables only from the tuple x. A ‘tuple of variables’ is a list of variables without 
repetitions and a ‘tuple of terms’ is a list of terms (possibly with repetitions). Fi- 
nally, whenever we use a notation like E(x, y) we implicitly assume not only that 
both the x and the y are pairwise distinct, but also that x and y are disjoint. A 
constraint is a conjunction of literals. A formula is universal (existential) iff it is 
obtained from a quantifier-free formula by prefixing it with a string of universal 
(existential, resp.) quantifiers. 


Theories and satisfiability modulo theory. A theory T is a pair (X, Av), where 
X is a signature and Arr is a set of X-sentences, called the axioms of T (we shall 
sometimes write directly T for Avr). The models of T are those X-structures 
in which all the sentences in Avr are true. A X-formula ¢ is T-satisfiable (or 
T-consistent) if there exists a model M of T such that ¢ is true in M under 
a suitable assignment a to the free variables of ọ (in symbols, (M,a) = ¢); it 
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is T-valid (in symbols, T F vy) if its negation is T-unsatisfiable or, equivalently, 
y is provable from the axioms of T in a complete calculus for first-order logic. 
A theory T = (X, Axr) is universal iff all sentences in Agr are universal. A 
formula yı T-entails a formula p2 if p1 > ye is T-valid (in symbols, yi Fr p2 or 
simply y1 F p2 when T is clear from the context). If I is a set of formule and da 
formula, I’ Fr @ means that there are y1,...,%n E€ I such that y1A-+:Aqn Fr @. 
The satisfiability modulo the theory T (SMT(T)) problem amounts to establishing 
the T-satisfiability of quantifier-free X-formulæ (equivalently, the T-satisfiability 
of 3’-constraints). A theory T admits quantifier-elimination iff for every formula 
@(a) there is a quantifier-free formula ¢’(x) such that T F ¢ © ¢’. 

Some theories have special names, which are becoming standard in SMT- 
literature; for instance, EF (X) is the pure equality theory in the signature X 
(this is commonly abbreviated as EUF if there is no need to specify the signature 
X). More standard theory names will be recalled during the paper. 


Embeddings and sub-structures The support of a structure M is denoted with 
|M]. For a (sort, function, relation) symbol ø, we denote as o™ the interpre- 
tation of ø in M. An embedding is a homomorphism that preserves and re- 
flects relations and operations (see, e.g., [14]). Formally, a X-embedding (or, 
simply, an embedding) between two S/-structures M and M is any mapping 
u : |M| — |N] satisfying the following three conditions: (a) it is a (sort- 
preserving) injective function; (b) it is an algebraic homomorphism, that is 
for every n-ary function symbol f and for every a1,...,d, E€ |M], we have 
f~ (ular), ..., ulan)) = wf (a1,...,an)); (c) it preserves and reflects predi- 
cates, i.e. for every n-ary predicate symbol P, we have (a1,...,@n) E€ P™ iff 
(1(a1),---,H(@n)) € PN. If |M| C |N] and the embedding p : M — N is 
just the identity inclusion |M| C ||, we say that M is a substructure of N or 
that NV is a superstructure of M. As it is known, the truth of a universal (resp. 
existential) sentence is preserved through substructures (resp. superstructures). 


Combinations of theories. A theory T is stably infinite iff every T-satisfiable 
quantifier-free formula (from the signature of T) is satisfiable in an infinite model 
of T. By compactness, it is possible to show that T is stably infinite iff every 
model of T embeds into an infinite one (see, e.g., [17]). A theory T is convex iff 
for every conjunction of literals ô, if ô Fr Vi zi = yi then ô Fr zi = yi holds 
for some i € {1,...,n}. Let T; be a stably-infinite theory over the signature X; 
such that the SMT (T;) problem is decidable for i = 1, 2 and such that X; and X3 
are disjoint (i.e. the only shared symbol is equality). Under these assumptions, 
the Nelson-Oppen combination result [33] says that the SMT problem for the 
combination Tı U T> of the theories T, and T> is decidable. 


Interpolation properties. Craig’s interpolation theorem [14] roughly states that 
if a formula ¢ implies a formula w~ then there is a third formula 6, called an 
interpolant, such that ¢ implies 0, 0 implies wv, and every non-logical symbol 
in 0 occurs both in ¢ and w. Our interest is to specialize this result to the 
computation of quantifier-free interpolants modulo (combinations of) theories. 
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Definition 1. [Plain quantifier-free interpolation] A theory T admits (plain) 
quantifier-free interpolation (or, equivalently, has quantifier-free interpolants ) iff 
for every pair of quantifier-free formulae ¢,w such that y A @ is T-unsatisfiable, 
there exists a quantifier-free formula 6, called an interpolant, such that: (i) w 
T-entails 0, (ii) 0A @ is T-unsatisfiable, and (iii) only the variables occurring in 
both w and @ occur in 0. 


In verification, the following extension of Definition 1 is considered more useful. 


Definition 2. /General quantifier-free interpolation] Let T be a theory in a sig- 
nature X; we say that T has the general quantifier-free interpolation property 
iff for every signature X' (disjoint from X) and for every pair of ground XU X'- 
formule o, such that ^y) is T-unsatisfiable’, there is a ground formula @ such 
that: (i) @ T-entails 0; (ii) 0A w is T-unsatisfiable; (iv) all relations, constants 
and function symbols from X' occurring in @ also occur in and w. 


By replacing free variables with free constants, it should be clear that general 
quantifier-free interpolation (Definition 2) implies plain quantifier-free interpo- 
lation (Definition 1); however, the converse implication does not hold. 


Amalgamation and strong amalgamation. Interpolation can be characterized se- 
mantically via amalgamation. 


Definition 3. A universal theory T has the amalgamation property iff given 
models Mı and Mə of T and a common submodel A of them, there exists a 
further model M of T (called T-amalgam) endowed with embeddings pı : Mı —> 
M and jig: Mz — M whose restrictions to |A| coincide. 

A universal theory T has the strong amalgamation property if the above em- 
beddings p14, u2 and the above model M can be chosen so to satisfy the following 
additional condition: if, for some mı E€ |Mi|,m2 € |Mol, mı(mı) = u2(m2) 
holds, then there exists an element a in |A| such that mı = a = m2. 


The first statement of the following theorem is an old result due to [6]; the 
second statement is proved in [9] (where it is also suitably reformulated for 
theories which are not universal): 


Theorem 1. Let T be a universal theory. Then 

(i) T has the amalgamation property iff it admits quantifier-free interpolants; 

(ii) T has the strong amalgamation property iff it has the general quantifier-free 
interpolation property. 


We underline that, in presence of stable infiniteness, strong amalgamation is 
a modular property (in the sense that it transfers to signature-disjoint unions of 
theories), whereas amalgamation is not (see again [9] for details). 


T By this (and similar notions) we mean that ^Y is unsatisfiable in all 5’-structures 
whose X-reduct is a model of T. 
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3 Arrays with MaxDiff 


The McCarthy theory of arrays [30] has three sorts ARRAY, ELEM, INDEX (called 
“array”, “element”, and “index” sort, respectively) and two function symbols rd 
(“read”) and wr (“write”) of appropriate arities; its axioms are: 


Vy,i,e. rd(wr(y,t,e),1) =e 
Vy,i,J,e i Zj + rd(wr(y, i,e), j) = rd(y, j). 
The McCarthy theory of arrays with extensionality has the further axiom 


Va,y.a Æ y > (Hi. rd(x,i) Æ rd(y,i)), (2) 


called the ‘extensionality’ axiom. The theory of arrays with extensionality is 
not universal and quantifier-free interpolation fails for it [28]. In [8] a variant 
of the McCarthy theory of arrays with extensionality, obtained by Skolemizing 
the axioms of extensionality, is introduced. This variant of the theory turns out 
to be universal and to enjoy quantifier-free interpolation. However, the Skolem 
function introduced in [8] is generic, here we want to make it more informative, 
so as to return the biggest index where two different arrays differ. To locate our 
contribution in the general context, we need the notion of an index theory. 


Definition 4. An index theory Tr is a mono-sorted theory (let INDEX be its 
sort) satisfying the following conditions: 
- Tr is universal, stably infinite and has the general quantifier-free interpola- 
tion property (i.e. it is strongly amalgamable, see Theorem 1); 
- SMT (Tr) is decidable; 
- Tr extends the theory TO of linear orderings with a distinguished element 0. 


We recall that TO is the theory whose only proper symbols (beside equality) are 
a binary predicate < and a constant 0 subject to the axioms saying that < is 
reflexive, transitive, antisymmetric and total (the latter means that i < jVj <i 
holds for all i, j). Thus, the signature of an index theory Tr contains at least 
the binary relation symbol < and the constant 0. In the paper, by a Tr-term, 
Ty-atom, T7-formula, etc. we mean a term, atom, formula in the signature of 
Tr. Below, we use the abbreviation i < j for i < j Ai Æ j. The constant 0 is 
meant to separate ‘formally positive’ indexes - those satisfying 0 < i - from the 
remaining ‘formally negative’ ones. 

Examples of index theories are TO itself, integer difference logic TDL, integer 
linear arithmetic LZA, and real linear arithmetics CRA. In order to match the 
requirements of Definition 4, one must however make a careful choice of the 
language, see [9] for details: the most important detail is that integer (resp. real) 
division by all positive integers should be added to the language of LTA (resp. 
LRA). For most applications, TDL (namely the theory of integer numbers with 
0, ordering, successor and predecessor) ë suffices as in this theory one can model 
counters for scanning arrays. 


8 The name ‘integer difference logic’ comes from the fact that atoms in this theory 
are equivalent to formulæ of the kind S” (i) M j (where ME {<,>,=}), thus they 
represent difference bound constraints of the kind j — i X n for n > 0. 
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Given an index theory Tr, we now introduce our array theory with maxd- 
iff ARD(Tr) (parameterized by Tr) as follows. We still have three sorts 
ARRAY, ELEM, INDEX; the language includes the symbols of Tr, the read and write 
operations rd,wr, a binary function diff of type ARRAY x ARRAY — INDEX, as 
well as constants € and L of sorts ARRAY and ELEM, respectively. The constant L 
models an undetermined (e.g. undefined, not-in-use, not coming from appropri- 
ate initialization, etc.) value and € models the totally undefined array; the term 
diff(x,y) returns the maximum index where x and y differ and returns 0 if x 
and y are equal. °? Formally, the axioms of ARD(T7) include, besides the axioms 
of Tr, the following ones: 


Vy,i,e. t>0> rd(wr(y,i,e), i) =e (3) 
Vy,t,J,e. i # j + rd(wr(y,t,e),j) =rd(y, j) (4) 
Va,y. c#y > rd(x,diff(x,y)) Æ rd(y, diff(z, y)) (5) 
Va,y,t. i> diff(x,y) > rd(a,2) = rd(y,i) (6) 
Va. diff(a,x) =0 (7) 

Vai i< 0 — rd(z,i)= L (8) 

Vi. rd(e,i) =L (9) 


In the read-over-write axiom (3), we put the proviso i > 0 because we want all 
our arrays to be undefined on negative indexes (negative updates makes no sense 
and have no effect: by axiom (8), reading a negative index always produces L). 

We call ARext (Ty) (the ‘theory of arrays with extensionality parameterized 
by Tr’) the theory obtained from ARD(T;) by removing the symbol diff and 
by replacing the axioms (5)-(7) by the extensionality axiom (2). Since the exten- 
sionality axioms follows from axiom (5), ARD(T7) is an extension of ARext(Tr). 

As an effect of the above axioms, we have that an array x is undefined 
outside the interval [0, |x|], where |x| is defined as |z| := diff(a,¢). Typically, 
this interval is finite and in fact our proof of Theorem 3 below shows that any 
satisfiable constraint is satisfiable in a model where all such intervals (relatively 
to the variables involved in the constraint) are finite. 

The next lemma is immediate from the axiomatization of ARD(T7): 


Lemma 1. An atom of the form a = b is equivalent (modulo ARD(Tr)) to 
diff(a,b) =0A rd(a,0) = rd(b,0) . (10) 
An atom of the form a = wr(b, i,e) is equivalent (modulo ARD) to 
(i > 0 —> rd(a,i) =e) A Vh (h £i — rd(a,h) =rd(b,h)) . (11) 
An atom of the form diff(a,b) = i is equivalent (modulo ARD(Tr)) to 


i>O0A VA (h>i-rd(a,h) =rd(b,h)) A (i >0- rd(a,i) Æ rd(b,i)) . (12) 


? Notice that it might well be the case that diff(«,y) = 0 for different x,y, but in 
that case 0 is the only index where x, y differ. 
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For our interpolation algorithm in Section 7, we need to introduce iterated 
diff operations, similarly to [37]. As we know diff(a,b) returns the biggest 
index where a and 6 differ (it returns 0 if a = b). Now we want an operator 
that returns the last-but-one index where a,b differ (0 if a,b differ in at most 
one index), an operator that returns the last-but-two index where a,b differ 
(0 is they differ in at most two indexes), etc. Our language is already enough 
expressive for that, so we can introduce such operators explicitly as follows. 
Given array variables a,b, we define by mutual recursion the sequence of array 
terms b),b2,... and of index terms diff,(a,b),diff2(a,b),...: 


bi := b; diffı(a,b) := diff(a, bı); 
bk+1 := wr (bp, diff (a,b), rd(a, diff;,(a,b))); diff,41(a, b) := diff (a, bk41) 
Intuitively, bķ+1ı is the same as b except for all k-last indexes on which a and b 
differ, in correspondence of which 6,4; has the same value as a. A useful fact is 
that conjunctions of formulae of the kind A;<; diff;(a, b) = kj can be eliminated 


in favor of universal clauses in a language whose only symbol for array variables 
is rd. In detail: 


Lemma 2. A formula like 
diffi (a,b) =k, ^e A diff)(a,b) = kı (13) 
is equivalent modulo ARD to the conjunction of the following five formulae: 


ky > ko A+++ Akai > ky Aki > 0 (14) 

Nj<ilki > kj+1 > rd(a, kj) # rd(b, kj)) (15) 

Ajcilky = kj41 > kj = 0) (16) 

Aj<i(rd(a, kj) = rd(b, kj) + kj = 0) (17) 

Yh (h > ky + rd(a,h) = rd(b,h) Vh = ki V -Vh =hy-1) (18) 


3.1 Our roadmap 


The main result of the paper is that, for every index theory 77, the array the- 
ory with maxdif ARD(Tr) indexed by Tr enjoys quantifier-free interpolation 
and that interpolants can be computed hierarchically by relying on a black-box 
quantifier-free interpolation algorithm for the weaker theory T; UEUF (the latter 
theory has quantifier free interpolation because Ty is strongly amalgamable and 
because of Theorem 1). In this subsection, we supply intuitions and we give a 
qualitative high-level view to our proofs: more technical details and full proofs 
can be found in [21]. 


The algorithm. 


By general easy transformations (recalled in Section 7 below), it is sufficient 
to be able to extract a quantifier-free interpolant out of a pair of quantifier-free 
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formulae A, B such that (i) AAB is ARD(Ty)-inconsistent; (ii) both A and B are 
conjunctions of flat literals, i.e. of literals which are equalities between variables, 
disequalities between variables or literals of the form R(x),7R(x), f(x) = y 
(where x,y are variables, R is a predicate symbol and f a function symbol). 

Let us call common the variables occurring in both A and B. The fact that a 
quantifier-free interpolant exists intuitively means that there are two reasoners 
(an A-reasoner operating on formulae involving only the variables occurring in A 
and a B-reasoner operating on formulae involving only the variables occurring in 
B) that are able to discover the inconsistency of AA B by exchanging information 
on the common language, i.e. by communicating each other only the entailed 
quantifier-free formulae involving the common variables. 

A problem that can be addressed when designing an interpolation algorithm, 
is that there are infinitely many common terms that can be built up out of 
finitely many common variables and it may happen that some uncommon terms 
can be recognized to be equal to some common terms during the deductions 
performed by the A-reasoner and the B-reasoner. 

As an example, suppose that A contains the literals cı = wr(co,t,e),c1 Æ 
c2,a = wr(c3,i,e), where only c,,c2,c3 are common (i.e. only these variables 
occur in B). Then using diff operations, we can deduce i = diff(ci,c2),e = 
rd(c,,i) so that in the end we can conclude that a is also ‘common’, being 
definable in term of common variables. Thus, the A-reasoner must communicate 
(via a defining common term or in some other indirect way) to the B-reasoner 
any fact it discovers about a, although a was not listed among the common 
variables since the very beginning. In more sophisticated examples, iterated diff 
operations are needed to discover ‘hidden’ common facts. 

To cope with the above problem, our algorithm gives names ik = 
diff;(c1, c2) to all the iterated diffs of common array variables c1, cz (the newly 
introduced names i are considered common and can be replaced back with their 
defining terms when the interpolants are computed at the end of the algorithm). 

The second component of our algorithm is instantiation. Both the A- and 
the B-reasoner use the content of Lemmas 1 and 2 in order to handle atoms 
of the kind a = b, ay = wr(ag,i,e), i = diff,(a1,a2). Whenever they come 
across such atoms, the equivalent formulæ supplied by these lemmas are taken 
into consideration; in fact, whenever the lemmas produce universally quantified 
clauses of the kind VAC, they replace in C the universally quantified index 
variable h by all possible instantiations with their own index terms (these are 
the terms built up from index variables occurring in A for the A-reasoner and 
occurring in B for the B-reasoner respectively). Such instantiations can be read 
as clauses in the language of Tr U EUF if we replace every array variable a by a 
fresh unary function symbol fa and read terms like rd(a,i) as fa (i). 

Of course both the production of names for iterated diff-terms and the instan- 
tiation with owned index terms need to be repeated (possibly, infinitely many 
times); we prove however (this is the content of our main Theorem 4 below) 
that if AA B is ARD(T,)-inconsistent, then sooner or later the union of the 
sets of the clauses deduced by the A-reasoner and the B-reasoner in the restricted 
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signature of Tr U EUF is Tr U EUF -inconsistent, i.e., the instantiation process 
terminates. This means that an interpolant can be extracted, using a black-box 
quantifier-free interpolation algorithm for the weaker theory Tr U EUF. In the 
simple case where Ty is just the theory TO of total orders, we shall prove in Sec- 
tion 8 that a quadratic number of instantiations always suffices. In the general 
case, however, the situation is similar to the statement of Herbrand theorem: 
finitely many instantiations suffice to get an inconsistency proof in the weaker 
logical formalism, but a bound cannot be given. 


The proof. 


Theorem 4 is proved in a contrapositive way: we show that if a Tr U EUF- 
inconsistency never arises, then A^ B is ARD(Ty)-consistent. This is proved in 
two steps: if Tr U EUF-inconsistency does not arise, we produce two ARD(Tr)- 
models A and B, where A satisfies A and B satisfies B. Moreover, A and B 
are built up in such a way that they share the same ARD(T7,)-substructure. In 
the second step, we prove the amalgamation theorem for ARD(T7), so that the 
amalgamated model will produce the desired model of A A B. In fact, the two 
steps are inverted in our exposition: we first prove the amalgamation theorem in 
Section 5 (Theorem 2) and then our main theorem in Section 7 (Theorem 4). 


4 Embeddings 


We preliminarily discuss the class of models of ARD(Tr) and we make important 
clarifications about embeddings between such models. A model M of ARext (Tr) 
or of ARD(T7) is functional when the following conditions are satisfied: 

(i) ARRAY is a subset of the set of all positive-support functions from INDEX™ 
to ELEM™ (a function a is positive-support iff a(i) = L for every i < 0); 

(ii) rd is function application; 

(iii) wr is the point-wise update operation (i.e., for i > 0, the function wr (a, i,e) 
returns the same values as the function a, except at the index i where it 
returns the element e). 

Because of the extensionality axiom, it can be shown that every model is iso- 

morphic to a functional one. For an array a € INDEX™ in a functional model M 

and for i € INDEX™, since a is a function, we interchangeably use the notations 

a(i) and rd(a,i). A functional model M is said to be full iff ARRAY™ consists of 

all the positive-support functions from INDEX™ to ELEM™. 

Let a,b be elements of ARRAY™ in a model M. We say that a and b are 
cardinality dependent (in symbols, M H ||a — b|| < w) iff {i € INDEX” | M = 
rd(a,i) Æ rd(b,i)} is finite. Cardinality dependency in M is obviously an equiv- 
alence relation, that we sometimes denote as ~m. 

Passing to ARD(T7), a further remark is in order: in a functional model 
M of ARD(Tr), the index diff(a,b) (if it exists) is uniquely determined: it 
must be the maximum index where a,b differ (it is 0 if a = b). We say that 
diff(a,b) is defined iff there is a maximum index where a,b differ (or if a = b). 
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An embedding u : M —> N between ARext(Tr)-models is said to be diff- 
faithful iff whenever diff(a,b) is defined so is diff(u(a), u(b)) and it is equal 
to y(diff(a, b)). Since there might not be a maximum index where a, b differ, in 
principle it is not always possible to expand a functional model of ARext(Tr) to 
a functional model of ARD(T,), keeping the set of indexes unchanged. Indeed, 
in order to do that in a diff-faithful way, one needs to explicitly add to INDEX 
new indexes including at least indexes representing the missing maximum indexes 
where two given array differ. This idea is used in the following lemma (proved 
in the online available extended version [21]): 


Lemma 3. For every index theory Tr, every model of ARext(Tr) has a diff- 
faithful embedding into a model of ARD(T7). 


5 Amalgamation 


We now sketch the proof of the amalgamation property for ARD(T7). We recall 
that strong amalgamation holds for models of Tr (see Definition 4). 


Theorem 2. ARD(T;) enjoys the amalgamation property. 


Proof. Take two embeddings ju, : MW — My, and us : N — Mg. As we know, 
we can suppose—w.l.o.g.—that M, Mı, Mg are functional models; in addition, 
via suitable renamings, we can freely suppose that u1, H2 restricts to inclusions 
for the sorts INDEX and ELEM, and that (ELEM? \ELEMY )N (ELEM? \ELEMY’) = f, 
(INDEX™! \ INDEX’) (INDEX? \ INDEX”) = Ø. To build the amalgamated model 
of ARD(Tr), we first build a full model M of ARext(Tr) with diff-faithful 
embeddings vı : Mı — M and 12: Mz — M such that vı 0 yı = n2 0 po. 
If we succeed, the claim follows by Lemma 3: indeed, thanks to that lemma, we 
can embed in a diff-faithful way M (which is a model of ARext(Tr)) to a model 
M’ of ARD(Tr), which is the required ARD(Ty7)-amalgam. 

We take the T7-reduct of M to be a model supplied by the strong amal- 
gamation property of Tr (again, we can freely assume that the Ty-reducts of 
Mı, Mə identically include in it); we let ELEM“ to be ELEM: U ELEM”?. We 
need to define v; : M; — M (i = 1,2) in such a way that v; is diff-faithful and 
V1 0 fy = V20 2. We take the INDEX and the ELEM-components of v1, v2 to be just 
identical inclusions. The only relevant point is the action of v; on ARRAY™:: since 
we have strong amalgamation for indexes, in order to define it, it is sufficient to 
extend any a € ARRAY: to all the indexes k € (INDEX™ \ INDEX™:). For in- 
dexes k € (INDEX™ \ (INDEX™: U INDEX™?)) we can just put v;(a)(k) = L. 
If k € (INDEX™ \ INDEX“) and k € (INDEX: U INDEX™?), then k € 
(INDEX™s-: \ INDEX”); the definition for such k is as follows: 

(*) we let v;(a)(k) be equal to u3—;(c)(k), where c is any array c € ARRAY for 
which there is a’ € ARRAY: such that a ~m, a’ and such that the relation 

k > diffi (a’, ;(c)) holds in INDEX™;?° if such c does not exist, then we 

put v;(a)(k) = L. 


10 This should be properly written as k > vi(diff™i (a’, i(c))), however recall that the 
INDEX-component of 1; is identity, so the simplified notation is nevertheless correct. 
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Definition (*) is forced by some constraints that v;(a)(k) must satisfy. Of course, 
definition (*) itself needs to be justified: besides showing that it enjoys the re- 
quired properties, we must also prove that it is well-given (i.e. that it does not 
depend on the selected c and a’). It is easy to see that, if the definition is correct, 
then we have vı 0 1 = V2 o u2; also, it is clear that v; preserves read and write 
operations (hence, it is a homomorphism) and is injective. For (i) justifying the 
definition of v; and (ii) showing that it is also diff-faithful, we need to show 
the following two claims (the proof is not easy, see the extended version [21] for 
details) for arrays a1,a2 € ARRAY}, for an index k € (INDEX? \ INDEX”) and 
for arrays c1, C2 € ARRAY (checking the same facts in Mə is symmetrical): 

(i) if ay ~m, az and k > diff (a1, pı (c1)), k > diff (a2, w1(c2)), then 

p2(c1)(k) = M2 (c2)(k). 
(ii) if k > diff™: (a1, a2), then 11(a1)(k) = vı (a2)(k). = 


6 Satisfiability 


The key step of the interpolation algorithm that will be proposed in Sec- 
tion 7 depends upon the problem of checking satisfiability (modulo ARD(T;)) 
of quantifier-free formule; this will be solved in the present section by adapting 
instantiation techniques, like those from [7]. 

We define the complexity c(t) of a term t as the number of function symbols 
occurring in ¢ (thus variables and constants have complexity 0). A flat literal L 
is a formula of the kind x, = t or x, Æ z or R(z1,..., £n) or AR(x1,...,2n), 
where the x; are variables, R is a relation symbol, and t is a term of complexity 
less or equal to 1. If Z is a set of T7-terms, an Z-instance of a universal formula 
of the kind Vi ¢ is a formula of the kind ¢(t/i) for some t € T. 

A pair of sets of quantifier-free formulae ® = (81, B2) is a separated pair iff 
(1) Sı contains equalities of the form diff;,(a,b) = i and a = wr(b, i,e); more- 

over if it contains the equality diff,(a,b) = i, it must also contain an 

equality of the form diff,;(a,b) = j for every l < k; 

(2) S2 contains Boolean combinations of Ty;-atoms and of atoms of the forms: 


rd(a,i) = rd(b,j), rd(a,i)=e, e1 =e, (19) 


where a, b, 7,7, e,e1, €2 are variables or constants of the appropriate sorts. 
The separated pair is said to be finite iff ©; and ə are both finite. 

In practice, in a separated pair P = (®,,®2), reading rd(a,i) as a func- 
tional application, it turns out that the formule from Pa can be translated 
into quantifier-free formule of the combined theory Tr U EUF (the array vari- 
ables occurring in ®2 are converted into free unary function symbols). Ty U EUF 
enjoys the decidability of the quantifier-free fragment and has quantifier-free in- 
terpolation because Tp is an index theory (see Nelson-Oppen results [33] and 
Theorem 1): we adopt a hierarchical approach (similar to [35,36]) and we rely 
on satisfiability and interpolation algorithms for such a theory as black boxes. 

Let Z be a set of Ty-terms and let ® = (1, 2) be a separated pair; we let 
P(T) = (ı(T), 2(T)) be the smallest separated pair satisfying the following 
conditions: 
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- (T) is equal to ®; and S(T) contains Pg; 
- (T) contains all Z-instances of the two formulee 


Vi rd(e,i) = L, Vi (i < 0 rd(a,i) = L), 


where a is any array variable occurring in ®; or 3; 
- if ®; contains the atom a = wr (b, i,e) then @2(Z) contains all the Z-instances 
of the formulae (11); 
- if &; contains the conjunction Na diff;(a,b) = k;, then ©2(Z) contains the 
formulae (14), (15), (16), (17) as well as all Z-instances of the formula (18). 
For M € NU {oo}, the M-instantiation of P = (1, B2) is the separated pair 
DTM!) = (G1 (T2), B(T% )), where Z} is the set of Ty-terms of complexity 
at most M built up from the index variables occurring in ®;,@2. The full in- 
stantiation of P = (1, P2) is the separated pair (ZF) = (#1 (LF), Po(LF)) 
(which is usually not finite). A separated pair ® = (4, 82) is M-instantiated iff 
8 = S(T} ); it is ARD(Ty)-satisfiable iff so it is the formula A 2; A A 821 


Example 1. Let Bı contain the four atoms 
{ diff(a,c1) = i1, diff(b, c2) = i1, a= wr(ai,iz,e3), a1 = wr(b, i1,€1) } 


and let Pa be empty. Then (Bı, B2) is a separated pair; 0-instantiating it adds 
to By the following formulae (we delete those which are redundant) 


i >0 

rd(a, i1) = rd(c1, i1) > i1 =0 rd(b, i1) = rd(c2, i1) > i1 = 0 
ig >t, > rd(a, i3) = rd(c1, i3) iz >t, > rd(b, i3) = rd(cz2, i3) 
ig > 0 — rd(a, i3) = e3 i, > 0 > rd(a1, i1) = €1 
iy Æ i3 > rd(a, i1) = rd(a1, i1) iy Aig > rd(a1, i3) = rd(b, ia) 


The following results are proved in the extended version [21]: 


Lemma 4. Let ¢ be a quantifier-free formula; then it is possible to compute 
finitely many finite separation pairs Pt = (Pi, D4), ..., B” = (7, GF) such that 
@ is ARD(Tr)-satisfiable iff so is one of the P. 


Lemma 5. The following conditions are equivalent for a finite separation pair 
P= (Di, Po): 

(i) & is ARD(Ty1)-satisfiable; 

(ii) A ®o(Z9) is Tr U EUF -satisfiable. 


Theorem 3. The SMT(ARD(T;)) problem is decidable for every index theory 
Ty (i.e. for every theory satisfying Definition 4). 


11 This might be an infinitary formula if ® is not finite. In such a case, satisfiability 
obviously means that there is a model M where we can assign values to all variables 
occurring in the formule from ®ı U ə in such a way that such formule become 
simultaneously true. 
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Concerning the complexity of the above procedure, notice that the satisfia- 
bility of the quantifier-free fragment of common index theories (like TDL, LTA, 
LRA) is decidable in NP; as a consequence, from the above proof we get (for such 
index theories) also an NP bound for our SMT(ARD(T7)))-problems because 
Q-instantiation is clearly finite and polynomial. The fact that 0-instantiation 
suffices is a common feature of the above satisfiability procedure and of the 
satisfiability procedures from [7]. Unfortunately, when coming to interpolation 
algorithms in the next section, there is no evidence that 0-instantiation suffices. 


7 An interpolation algorithm 


Since amalgamation is equivalent to quantifier-free interpolation for universal 
theories like ARD(T;) (see Theorem 1), Theorem 2 ensures that ARD(T;) has 
the quantifier-free interpolation property. However, the proof of Theorem 2 is not 
constructive, so in order to compute an interpolant for an ARD(T7)-unsatisfiable 
conjunction like (x,y) A o(y,z), one should enumerate all quantifier-free for- 
mule 6(y) which are logical consequences of ¢ and are inconsistent with Y% (mod- 
ulo ARD(T;)). Since the quantifier-free fragment of ARD(T7) is decidable by 
Theorem 3, this is an effective procedure and, since interpolants of jointly un- 
satisfiable pairs of formule exist, it also terminates. However, such kind of an 
algorithm is not practical. 

In this section, we improve the situation by supplying a better algorithm 
based on instantiation (a-la-Herbrand). In the next section, using the results of 
the present section, for the special case where Tp is just the theory of linear 
orders, we identify a complexity bound for this algorithm. 

Our problem is the following: given two quantifier-free formulae A and B 
such that A A B is not satisfiable (modulo ARD(T7)), to compute a quantifier- 
free formula C such that ARD(T;) H| A > C, ARD(Tr) | CA B > L and 
such that C contains only the variables (of sort INDEX, ARRAY, ELEM) which occur 
both in A and in B. 

We call the variables occurring in both A and B common variables, whereas 
the variables occurring in A (resp. in B) are called A-variables (resp. B- 
variables). The same terminology applies to terms, atoms and formulae: e.g., 
a term t is an A-term (B-term, common term) iff it is built up from A-variables 
(B-variables, common variables, resp.). 

The following operations can be freely performed (see [9] or [8] for details): 
(i) pick an A-term t and a fresh variable a (of appropriate sort) and conjoin A 

to a =t (a will be considered an A-variable from now on); 

(ii) pick a B-term t and a fresh variable b (of appropriate sort) and conjoin B 
to b = t (b will be considered a B-variable from now on); 

(iii) pick a common term ¢ and a fresh variable c (of appropriate sort) and 
conjoin both A and B to c = t (c will be considered a common variable from 
now on); 

(iv) conjoin A with some quantifier-free A-formula which is implied (modulo 
ARD(T1)) by A; 
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(v) conjoin B with some quantifier-free B-formula which is implied (modulo 

ARD(Tr)) by B. 

Operations (i)-(v) either add logical consequences or explicit definitions that 
can be eliminated (if desired) after the final computation of the interpolant. In 
addition, notice that if A is the form A’ V A” (resp. B is of the form B’ V B”) 
then from interpolants of A’ A B and A” A B (resp. of A A B’ and A A B"), we 
can recover an interpolant of A A B by taking disjunction (resp. conjunction). 

Because of the above remarks, using the procedure in the proof of Lemma 4, 
both A and B are assumed to be given in the form of finite separated pairs. 
Thus A is of the form A Ai A A 42, B is of the form A Bı A A Bo, for separated 
pairs (Aj, Ag) and (B1, B2). Also, by (iv)-(v) above, A and B are assumed to 
be both 0-instantiated. We call A (resp. B) the separated pair (A1, A2) (resp. 
(Bı, B2)). We also use the letters A1, A2, B1, B2 both for sets of formulae and 
for the corresponding conjunctions; similarly, A represent both the pair (A1, A2) 
and the conjunction A Aı A A Ag (and similarly for B). 

The formulee from Ag and Bə are formule from the signature of Ty U EUF 
(after rewriting terms of the kind rd(a, i) to fa(i), where the fa are free function 
symbols). Of course, if Ag\ Bg is T7 VEU F-inconsistent, we can get our quantifier- 
free interpolant by using our black box algorithm for interpolation in the weaker 
theory T UEU F: recall that TrUEUF has quantifier-free interpolation because Ty 
is an index theory and for Theorem 1. The remarkable fact is that Az / Bo always 
becomes Ty U €UF-inconsistent if sufficiently many diffs among common array 
variables are introduced and sufficiently many instantiations are performed. 

Formally, we shall apply the loop below until A9^ Bz becomes inconsistent: the 
loop is justified by (i)-(v) above and Theorem 4 guarantees that Az ^ B2 eventu- 
ally becomes inconsistent modulo Ty U EUF, if AA B was originally inconsistent 
modulo ARD(T;). When A2/ Bz becomes inconsistent modulo TrUEUF, we can 
get our interpolant using the interpolation algorithm for Tr U EUF. [Of course, 
in the interpolant returned by Tr U EUF, the extra variables introduced by the 
explicit definitions from (iii) above need to be eliminated.] We need a counter M 
recording how many times the Loop below has been executed (initially M = 0). 


Loop| (to be repeated until Az A B2 becomes inconsistent modulo Tr U EUF). 
Pick two distinct common ARRAY-variables c1,c2 and n > 1 and s.t. no conjunct 
of the kind diffn(c1,c2) =k occurs in both A, and Bı for some n> 1 (but s.t. 
for every l < n there is a conjunct of the form diff)(a,b) = k occurring in both 
A, and Bı). Pick also a fresh INDEX constant kn; conjoin diff,,(c1,c2) = kn to 
both A; and Bı; then M-instantiate both A and B. Increase M to M +1. 

Notice that the fresh index constants kn introduced during the loop are con- 
sidered common constants (they come from explicit definitions like (iii) above) 
and so they are considered in the M-instantiation of both A and B. 


Example 2. Let A be the formula N Bı from Example 1 and let B be 


iy <tg A t2 <i3 A rd(cı, i2) Æ rd(ca, t2) 


B is 0-instantiated; 0-instantiating A produces the formule shown in Exam- 
ple 1. The loop needs to be executed twice; it adds the literals diffo(c1, c2) = 
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ko, diff1(c1, C2) = kı; 0-instantiation produces formulae Az, Bz whose conjunc- 
tion is Tj VEU F -inconsistent (inconsistency can be tested via an SMT-solver like 
Z3 or MATHSAT, see the ongoing implementation [1]). The related Tr U EUF- 
interpolant (once ko and ky are replaced by diffo(ci,c2) and diff1(c1,c2), re- 
spectively) gives our ARD(T,)-interpolant. 4 


Theorem 4. If AAB is ARD(T;)-inconsistent, then the above loop terminates. 


Proof. Suppose that the loop does not terminate and let A’ = (Aj, AS) and 
B' = ( B1 , B5) be the separated pairs obtained after infinitely many executions of 
the loop (they are the union of the pairs obtained in each step). Notice that both 
A’ and B’ are fully instantiated.1? We claim that (A’, B’) is ARD(T7)-consistent 
(contradicting the assumption that (A, B) was already ARD(T7)-inconsistent). 

Since no contradiction was found, by compactness of first-order logic, A5U B5 
has a Tr U EUF-model M (below we treat index and element variables oc- 
curring in A, B as free constants and the array variables occurring in A, B as 
free unary function symbols). M is a two-sorted structure (the sorts are INDEX 
and ELEM) endowed for every array variable a occurring in A, B of a function 
a™ : INDEX“ —+ ELEM™, In addition, INDEX™ is a model of Ty. We build three 
ARD(Ty)-structures A,B,C and two embeddings pı : C — A, m : C — B 
such that A = A’, B — B’ and such that for every common variable x we have 
u(x?) = a4 and u(x?) = z8. The consistency of A’ U B’ then follows from 
the amalgamation Theorem 2. The two structures A, 6 are obtained by taking 
the full functional model induced by the restriction of M to the interpretation 
of A-terms and B-terms (respectively) of sort INDEX, ELEM and then by applying 
Lemma 3; the construction of C requires some subtleties, to be detailed in the 
extended version [21], where the full proof of the theorem is provided. = 


8 When indexes are just a total order 


Comparing the results from Sections 7 and 6, a striking difference emerges: 
whereas variable and constant instantiations are sufficient for satisfiability check- 
ing, our interpolation algorithm requires full instantiation over all common 
terms. Such a full instantiation might be quite impractical, especially in in- 
dex theories like LZA and LRA (it is less annoying in theories like TDL: here 
all terms are of the kind S” (x) or P” (x), where z is a variable or 0 and S, P are 
the successor and the predecessor functions). The problem disappears in simpler 
theories like the theory of linear orders TO, where all terms are variables (or the 
constant 0). Still, even in the case of TO, the proof of Theorem 4 does not give 
a bound for termination of the interpolation algorithm: we know that sooner or 
later an inconsistency will occur, but we do not know how many times we need 
to execute the main loop. We now improve the proof of Theorem 4 by supplying 
the missing bound. In this section, the index theory is fixed to be TO and we 
abbreviate ARD(TO) as ARD. The full proof of the theorem below is in [21]. 


12 On the other hand, the joined pair (A1 U B1, AS U BS) is not even 0-instantiated. 


Interpolation and Amalgamation for Arrays with MaxDiff 285 


Theorem 5. If AA B is inconsistent modulo ARD, then the above loop ter- 
2 
minates in at most (™>™)-(n+1) steps, where n is the number of the index 


variables occurring in A, B and m is the number of the common array variables. 


Proof. We sketch a proof of the theorem: the idea is that if after N := = m). 
(n+1) steps no inconsistency occurs, then we can run the algorithm for infinitely 
many further steps without finding an inconsistency either. Let AN = (AN, Aj’) 
and BY = (BN, B] ) be obtained after N-executions of the loop and let M be a 
TOVEUF-model of AY A BJ. Fix a pair of distinct common array variables c1, c 
to be handled in Step N +1; since all pairs of common array variables have been 
examined in a fair way, AN and BY contain the atom diffn41(c1,¢2) = kn41 
(in fact N := (a5 -(n +1) and (a5) is the number of distinct unordered 
pairs of common array variables, so the pair (c,,c2) has been examined more 
than n times). In M, some index variable k; for l < kn+1, if not assigned to 0, 
is assigned to an element x which is different from the elements assigned to the 
n variables occurring in A, B. This allows us to enlarge M to a superstructure 
which is a model of Ay tA BY +l by ‘duplicating’ x. Continuing in this way, 
we produce a chain of TO U €UF-models witnessing that we can run infinitely 
many steps of the algorithm without finding an inconsistency. 4 


9 Conclusions and further work 


We studied an extension of McCarthy theory of arrays with a maxdiff symbol. 
This symbol produces a much more expressive theory than the theory of plain 
diff symbol already considered in the literature [8,37]. 

We have also considered another strong enrichment, namely the combina- 
tion with arithmetic theories like TDL, LTA, LRA,... (all such theories are 
encompassed by the general notion of an ‘index theory’). Such a combination 
is non trivial because it is a non disjoint combination (the ordering relation is 
in the shared signature) and does not fulfill the To-compatibility requirements 
of [17,19,18] needed in order to modularly import satisfiability and interpolation 
algorithms from the component theories. 

The above enrichments come with a substantial cost: although decidability 
of satisfiability of quantifier-free formulae is not difficult to obtain, quantifier- 
free interpolation becomes challenging. In this paper, we proved that quantifier- 
free interpolants indeed do exist: the interpolation algorithm is indeed rather 
simple, but its justification comes via a complicated détour involving semantic 
investigations on amalgamation properties. 

The interpolation algorithm is based on hierarchic reduction to general 
quantifier-free interpolation in the index theory. The reduction requires the in- 
troduction of iterated diff terms and a finite number of instantiations of the 
universal clauses associated to write and diff-atoms. For the simple case where 
the index theory is just the theory of total orders, we were able to polynomially 
bound the depth of the iterated diff terms to be introduced as well as the num- 
ber of instantiations needed. The main open problem we leave for future is the 
determination of analogous bounds for richer index theories. 
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Abstract. Most interaction with a computer is via graphical user in- 
terfaces. These are traditionally implemented imperatively, using shared 
mutable state and callbacks. This is efficient, but is also difficult to rea- 
son about and error prone. Functional Reactive Programming (FRP) 
provides an elegant alternative which allows GUIs to be designed in a 
declarative fashion. However, most FRP languages are synchronous and 
continually check for new data. This means that an FRP-style GUI will 
“wake up” on each program cycle. This is problematic for applications 
like text editors and browsers, where often nothing happens for extended 
periods of time, and we want the implementation to sleep until new data 
arrives. In this paper, we present an asynchronous FRP language for de- 
signing GUIs called Awidget- Our language provides a novel semantics for 
widgets, the building block of GUIs, which offers both a natural Curry— 
Howard logical interpretation and an efficient implementation strategy. 


Keywords: Linear Types - FRP - Asynchrony - GUIs 


Introduction 


Many programs, like compilers, can be thought of as functions — they take a single 
input (a source file) and then produce an output (such as a type error message). 
Other programs, like embedded controllers, video games, and integrated devel- 
opment environments (IDEs), engage in a dialogue with their environment: they 
receive an input, produce an output, and then wait for a new input that depends 
on the prior input, and produce a new output which is in turn potentially based 
on the whole history of prior inputs. 

The usual techniques for programming interactive applications are often con- 
fusing, since different parts of the program are not written to interact via struc- 
tured control flow (e.g., by passing and return values from functions). Instead, 
they communicate indirectly, via state-manipulating callbacks which are implic- 
itly invoked by an event loop. This makes program reasoning very challenging, 
since each of aliased mutable state, higher-order functions, and concurrency is 
tricky on its own, and interactive programs rely upon their combination. 

This challenge has led to a great deal of work on better abstractions for 
programming reactive systems. Two of the main lines of work on this problem 
are synchronous dataflow and functional reactive programming. The synchronous 
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dataflow languages, like Esterel [5], Lustre [9], and Lucid Synchrone [28], fea- 
ture a programming model inspired by Kahn networks. Programs are networks 
of stream-processing nodes which communicate with each other, each node con- 
suming and producing a fixed number of primitive values at each clock tick. The 
first-order nature of these languages makes them strongly analysable, which lets 
them offer powerful guarantees on space and time usage. This means they see 
substantial use in embedded and safety-critical contexts. 

Functional reactive programming, introduced by Elliott and Hudak [13], also 
uses time-indexed values, dubbed signals, rather than mutable state as its ba- 
sic primitive. However, FRP differs from synchronous dataflow by sacrificing 
static analysability in favour of a much richer programming model. Signals are 
true first-class values, and can be used freely, including in higher-order functions 
and signal-valued signals. This permits writing programs with a dynamically- 
varying dataflow network, which simplifies writing programs (such as GUIs) in 
which the available signals can change as the program executes. Over the past 
decade, a long line of work has refined FRP via the Curry—Howard correspon- 
dence [21,18,17,19,20,10,1]. This approach views functional reactive programs as 
the programming counterpart for proofs of formulas in linear temporal logic [27], 
and has enabled the design of calculi which can rule out spacetime leaks [20] or 
can enforce temporal safety and liveness properties [10]. 

However, both synchronous dataflow and FRP (in both original and modal 
flavours) have a synchronous (or “pull”) model of time — time passes in ticks, 
and the program wakes up on every tick to do a little bit more computation. This 
is suitable for applications in which something new happens at every time step 
(e.g., video games), but many GUI programs like text editors and spreadsheets 
spend most of their time doing nothing. That is, even at each event, most of the 
program will continue doing nothing, and we only want to wake up a component 
when an event directly relevant to it occurs. This is important both from a 
performance point of view, as well as for saving energy (and extending battery 
life). Because of this need, most GUI programs continue to be written in the 
traditional callbacks-on-mutable-state style. 

In this paper, we give a reactive programming language whose type system 
both has a very straightforward logical reading, and which can give natural types 
to stateful widgets and the event-based programming model they encourage. 
We also derive a denotational semantics of the language, by first working out a 
semantics of widgets in terms of the operations that can be performed upon them 
and the behaviour they should exhibit. Then, we find the categorical setting in 
which the widget semantics should live, and by studying the structure this setup 
has, we are able to interpret all of the other types of the programming language. 


Contributions The contributions of this paper are: 


— We give a descriptive semantics for widgets in GUI programming, and show 
that this semantics correctly models a variety of expected behaviours. For 
example, our semantics shows that a widget which is periodically re-set to 
the colour red is different from a widget that was only persistently set to 
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the colour red at the first timestep. Our semantic model can show that as 
long as neither one is updated, they look the same, but that they differ if 
they are ever set to blue — the first will return to red at reset time, and the 
second will remain blue. 

— From this semantics, we find a categorical model within which the widget 
semantics naturally fits. This model is a Kripke—-Joyal presheaf semantics, 
which is morally a “proof-relevant” Kripke model of temporal logic. 

— We give a concrete calculus for event-based reactive programming, which 
can be implemented in terms of the standard primitives for modern GUI 
programming, scene graphs (or DOM) which are updated via callbacks in- 
voked upon events. We then show that our model can soundly interpret the 
types of our calculus in an entirely standard way, showing that the types of 
our reactive programming language can be interpreted as time-varying sets. 

— Furthermore, this calculus has an entirely standard logical reading in terms of 
the Curry—Howard correspondence. It is a “linear temporal linear logic”, with 
the linear part of the language corresponding to the Benton—Wadler [3] LNL 
calculus for linear logic, and the temporal part of the language corresponding 
to $4.3 linear temporal logic. We also give a proof term for the $;4.3 axiom 
enforcing the linearity of time, and show that it corresponds to the select 
primitive of concurrent programming. 


The Language 


We now present Awidget through the API of the Widget type. This API mirrors 
how one would work with a GUI at the browser level. An important feature of a 
well-designed GUI is that it should not do anything when not in use. In particu- 
lar, it should not check for new inputs in each program cycle (pull-based reactive 
programming), but rather sleep until new data arrives (push-based reactive pro- 
gramming). Many FRP languages are synchronous languages and have some 
internal notion of a timestep. These languages are mostly pull-based, whereas 
more traditional imperative reactive languages are push-based. The former have 
clear semantics and are easy to reason about, the latter have efficient implemen- 
tations. In Awidget we would like to combine these aspects and get a language 
that is easy to reason about with an efficient implementation. 

In general, we think of a widget as a state through time, i.e., at each timestep, 
the widget is in some state which is presented to the user. The widget is mod- 
ified by commands, which can update the state. To program with widgets, the 
programmer applies commands at various times. 

The proper type system for a language of widgets should thus be a system 
with both state and time. If we consider what a logic for widgets should be, there 
are two obvious choices. A logic for state is linear logic [14], and a logic for time 
is linear temporal logic [27]. The combination of these two is the correct setting 
for a language of widgets, and, going through Curry—Howard, the corresponding 
type theory is a linear, linear temporal type theory. 
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Widget API To work with widgets, we define a API which mirrors how one 
would work with a browser level GUI: 

newWidget :1 —o 5 (i: Id), Widget i 

dropWidget : V (4: Id), Widget i — | 

setColor :V (i:ld),F Color @ Widget i — Widget i 

onClick : V (i: Id), Widget i — Widget i @ © l 

onKeypress :V (i : Id), Widget i — Widget i & © (F Char) 


out :© A — J (n: Time), A@n 
into :d(n:Time), A@n — OA 
split :V (i: Id) (t: Time), Widget i — Prefix i t @ (Widget i) @ t 
join :V (i: Id) (t : Time), Prefix i t & (Widget i)@t — Widget i 


The first two commands creates and deletes widgets, respectively. The — should 
be understood as state passing. We read the type of newWidget as “consuming 
no state, produce a new identifier index and a widget with that identifier index” . 
The identifier indices are used to ensure the correct behavior when using the split 
and join commands explained below. The existential quantification describes the 
non-deterministic creation of an identifier index. The use of non-determinism is 
crucial in our language and will be explaining in further detail in section 1. Since 
Awidget has a linear type system, we need an explicit construction to delete state. 
For widgets, this is dropWidget. The type is read as “for any identifier index, 
consume a widget with that identifier index and produce nothing”. 

The first command that modifies the state of a widget is setColor. Here we see 
the adjoint nature of the calculus with F Color. A color is itself not a linear thing, 
and as such, to use it in the linear setting, we apply F, which moves from the 
non-linear (Cartesian) fragment and into the linear fragment. The second new 
thing is the linear product ®. This differs from the regular non-linear product 
in that we do not have projection maps. Again, because of the linearity of our 
language, we cannot just discard state. We can now read the type of setColor 
as “Given a color and a identified widget, consume both and produce a new 
widget”. The produced widget is the same as the consumed widget, but with 
the color attribute updated. 

The next two commands, onClick and onKeypress, are roughly similar. Both 
register a handle on the widget, for a mouse click and a key press, respectively. 
Here we see the first use of the © modality, which represents an event. The type 
©A represents that at some point in the future we will receive something of 
type A. Importantly, because of the asynchronous nature of Awidget, we do not 
know when it happens. We can then read the type of onClick as “Consuming 
an identified widget, produce an updated widget together with a mouse click 
event”. The same holds for onKeypress except a key press event is produced. 

The two commands out and into allows us to work with events in a more 
precise way. Given an event, we can use out to “unfold” it into an existential. 
The @ connective describes a type that is only available at a certain timestep, 
i.e., A@n means “at the timestep n, a term of type A will be available”. The 
into commands is the reverse of out and turns an existential and an @ into an 
event. 
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Note the besides the above ways of constructing events, we can also turn any 
value into an event using the evt construction which is part of the core calculus. 
Given some element a: A, we get evt a : ©A which represents the event that 
returns immediately. 

So far, we have only applied commands to a widget in the current timestep, 
but to program appropriately with widgets, we should be able to react to events 
and apply commands “in the future”. This is exactly what the split and join 
commands allows us to do. The type of split is read as “Given any time step 
and any identified widget, split the widget into all the states before that time 
and the widget at that time”. We denote the collection of states before a given 
time a prefix and give it the type Prefix. Given the state of the widget at a given 
timestep, we can now apply commands at that timestep. Note that both the 
prefix and the widget is indexed by the same identifier index. This is to ensure 
that when we use join, we combined the correct prefix and future. 


Widget Programming To see the API in action, we now proceed with several 
examples of widget programming. For each example, we will add a comment 
on each line with the type of variables, and then explain the example in text 
afterwards. 

One of the simplest things we can do with a widget is to perform some action 
when the widget is clicked. In the following example, we register a handler for 
mouse clicks, and then we use the click event to change the color of the widget 
to red at the time of the click. To do this, we use the out map to get the time 
of the event, then we split the widget and apply setColor at that point in the 
future. 


1 turnRedOnClick : V (i: Id), Widget i — Widget i 
2 turnRedOnClick i wo = 


3 let (wi, co) = onClick i wo in -- wi : Widget i, co : Ol 
4 let unpack (x, c1) = out co in --x:Time,ci :1@z 
5 let c2 @ x = c in - c&: latr 
6 let ()@z =c2 in 
7 let (p,w2) = split į z wı in -- p : Prefix i x, w2 : Widget i @ x 
8 let w3 Qz = w2 in -- w3 : Widget 7 at time x 
9 let w4 = -- wa: Widget 1@ x 
10 (setColor (F Red) w3) @ x in 
11 join i x (p, wa) 


To see why this type checks, we go through the example line by line. In line 
3, we register a handle for a mouse click on the widget. In line 4, we turn the 
click event into an existential. In line 5, we get cp which is a binding that is 
only available at the timestep x. Since we only need the time of the click, we 
discharge the click itself in line 6. In line 7 and 8, we split the widget using the 
timestep x and bind wz to the state of the widget at that timestep. In line 9-10, 
we change the color of the widget to red at x and in line 11 we recompose the 
widget. 
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In general, we will allow pattern matching in eliminations and since widget 
identity indices can always be inferred, we will omit them. In this style, the 
above example become: 


1 turnRedOnClick :V (i: Id), Widget i — Widget i 
2 turnRedOnClick wo = 


3 let (wi, co) = onClick wi in -- wi : Widget i, co : Ol 

4 let unpack (x, () @ z) = out co in -- x: Time 

5 let (p,w2 @z) = split z w in  -- p: Prefix i x, w2 : Widget i at time x 
6 join x (p, (setColor (F Red) w2) @ x) 


We will use the same sugared style throughout the rest of the examples. 

The above example turns a widget red exactly at the time of the mouse 
click, but will not do anything with successive clicks. To also handle further 
mouse clicks, we must register an event handler recursively. This is a simple 
modification of the previous code: 


1 keepTurningRed :V (i : Id), Widget i — Widget i 
2 keepTurningRed wo = 


3 let (wi, co) = onClick wi in -- wi : Widget i, co : Ol 

4 let unpack (zx, () @ z) = out co in -- x : Time 

5 let (p,w2 @z) = split z w in  -- p: Prefix i x, w2 : Widget i at time x 
6 join (p, (setColor (F Red) (keep TurningRed w2) @ z)) 


By calling itself recursively, this function will make sure a widget will always 
turn red on a mouse click. 

To understand the difference between two above examples, consider the code 
turnBlueOnClick (keep TurningRed w), where w is some widget. On the first click, 
the widget will turn blue, on the second click it will turn red and on any subse- 
quent click, it will keep turning red, i.e., stay red unless further modified. 

When working with widgets, we will often register multiple handlers on a 
single widget. For example, a widget should have one behavior for a click and 
another behavior for a key press. To choose between two events, we use the select 
construction. This construction is central to our language and how to think about 
a push-based reactive language. 

Given two events, tı : OA, tə : OB, there are three possible behaviors: Either 
tı returns first, and we wait for t2 or t2 returns first and we wait for tı or they 
return at the same time. In general, we want to select between n events, but if 
we need to handle all possible cases, this will give 2” cases, so to keep the syntax 
linear in size, we will omit the last case. In the case events actually return at 
the same time, we do a non-deterministic choice between them. The syntax for 
select is 


select (tı as x > ti | t2 as y > th) 


where x: A, y : B,t} : A — OB — OC and t, : B — OA — OC. The second 
important thing to understand when working with select is that given we are 
working with events, we do not actually know at which timestep the events will 
trigger, and hence, we do not know what the (linear) context contains. Thus, 
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when using select, we will only know either a: A,tz: OB or tı : OA,b: B. We 
can think of the select rule a case-expression that must respect time. 

In the following example, we register two handlers, one for clicks and one for 
key presses, and change the color of the widget based on which returns first. We 
will only annotate the new parts. 


1 widgetSelect : V (1: Id), Widget i — Widget i 
2 widgetSelect wo = 


3 let (wi, c) = onClick wo in -- c: Ol. 
4 let (w2,k) = onKeypress wı in -- k : O(F char). 
5 let col = -- col : ©(F Color) 
6 select 
T (casz > let () = zin -- x : l, k : O(F Color). 
8 let unpack (t, () @ t) 
9 = out (mapE (fun F (_) > ()) k) in 
10 evt (F Red) 
11 | k as y > let F k’ = y in -- y : F char,c : Ol 
12 let unpack (t, () @t) = cin 
13 evt (F Blue)) 
14 let unpack (z, col’ @ zx) = out col in -- col’ : F Color at time z. 
15 let (p, w3 @z) = split x w2 in 


16 join (p, (setColor col’ w3) @ <) 


In line 3 and 4, we register the two handlers. In line 5-13, we use the select 
construction. In the first case, the click happens first and we return the color 
red. In the second case, the key press happens first and we return the color blue. 
In both cases, because of the linear nature of the language, we need to discharge 
the unit and char, respectively, and the event that does not return first. In line 
14, we turn the color event into an existential. In line 15, we use the timestep 
of the color event to split the widget, and in line 16, we change the color of the 
widget at that time and recompose it. 

To see how Awidget differs from more traditional synchronous FRP languages, 
we will examine how to encode a kind of streams. Since our language is asyn- 
chronous, the stream type must be encoded as 


Str A := va.O(A® a) 


This asynchronous stream will at some point in the future give a head and a 
tail. We do not know when the first element of the stream will arrive, and after 
each element of the stream is produced, we will wait an indeterminate amount 
of time for the next element. The reason why the stream type in Awidget must be 
like this is essentially that we want a push-based language, i.e., we do not want 
to wake up and check for new data in each program cycle. Instead, the program 
should sleep until new data arrives. 

To show the difference between the asynchronous stream and the more tra- 
ditional synchronous stream, we will look at some examples. With a traditional 
stream, a standard operation is zipping two streams: that is, given Str A and 
Str B, we can produce Str A x B, which should be the element-wise pairing of 
the two streams. It should be clear that this is not possible for our asynchronous 
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streams. Given two streams, we can wait until the first stream produces an ele- 
ment, but the second stream may only produce an element after a long period of 
time. Hence, we would need to buffer the first element, which is not supported 
in general. Remember, when using select, we can not use any already defined 
linear variables, since we do not know if they will be available in the future. 

Rather than zipping stream, we can instead do a kind of interleaving as 
shown below. We use fold and unfold to denote the folding and unfolding of the 
fixpoint. 


1 interleave: Str A — Str B — Str (A ® B) 

2 interleave zs ys = fold ( 

3 select 

(unfold zs as xs’ > 
let (x, zs”) = zs' in -- rs’: A@Str A,x : A, ss” : Str A 
evt (inl x, interleave zs” ys) 

| unfold ys as ys’ > 
let (y, ys”) = ys’ in -- ys’: B@Str B,y: B, ys” : Str A 
evt (inr y, interleave xs ys”))) 


OMONDTE 


Here, we use select to choose between which stream returns first, and then we 
let that element be the first element of the new stream. 

On the other hand, some of the traditional FRP functions on streams can be 
translated. For instance, we can map of function over a stream, given that it is 
available at each step in time: 


1 map:F (G(A — B)) — Str A — Str B 


2 map fo ts = 

3 let F fi = fo in oa fi : G(A =o B) 

4 let (y, (4, 2s’) @y) = -- y : Time, x: A,avs’: OStr A at time y 
5 out (unfold zs) in 

6 fold (evt ((runG fı) x, map fo xs’)) 


The type F(G(A — B)) is read as a linear function with no free variables that 
can be used in a non-linear fashion, i.e., duplicated. This restriction to such 
“globally available functions” is reminiscent of the “box” modality in Bahr et 
al. [1] and Krishnaswami [20], and the F and G construction can be understood 
as decomposing the box modality into two separate steps. This relationship will 
be made precise in the logical interpretation of Awidget in section 1 

As a final example, we will show how to dynamically update the GUI, i.e., 
how to add new widgets on the fly. Before we can give the example, we need to 
extend our widget API, to allow composition of widgets. To that end, we add 
the vAttach command to our API. 


vAttach : V(i,7 : Id), Widget i — Widget 7 — Widget i 


This command should be understood as an abstract version the div tag in 
HTML. In the following example, we think of the widget as a simple button 
that when clicked, will create a new button. When any of the buttons gets 
clicked, a new button gets attached. 
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1 buttonStack :V 1,Widget i —o Widget i 

2 buttonStack wo = 

let (wi, c) = onClick wo in 

let («,()@z) = out ein 

let (p, w2 @ z) = split z wı in 

let ws = (let (y, w) = newWidget () in 
vAttach we (buttonStack w)) @ z in 


o Noan rk W 


join (p, ws) 
The important step here is in line 6 and 7. Here the new button is attached at 


the time of the mouse click, and buttonStack is called recursively on the newly 
created button. 


Formal Calculus 


This sections gives the rules, meta-theory and logical interpretation of Awidget- 
Briefly, the language is a mixed linear-non-linear adjoint calculus in the style 
of Benton—Wadler [4,3]. The non-linear fragment, also called Cartesian in the 
following, is a minimal simply typed lambda calculus whereas the linear fragment 
contains several non-standard judgments used for widget programming. 


Contexts and Typing Judgments We have three typing judgments: one for 
indices, one for Cartesian (non-linear) terms, and one for linear terms. These are 
distinguished by a subscript on the turnstile, i for indices, c for Cartesian terms 
and l for linear terms. These depend on different contexts. The index judgment 
depends only on a index context, whereas the Cartesian and linear judgments 
depends on both an index and a linear and/or a Cartesian context. The rules for 
context formation is given in Figure 1. These are mostly standard except for the 
dependence on a previously defined context and the fact that the linear context 
contains variables of the form a :, A, i.e., temporal variables. The judgment 
a:, Ais read as “a has the type A at the timestep 7”. In the linear setting we 
will write a: A instead of a :ọ A, i.e., a judgment in the current timestep. 


FiO s g dom(O) o € {ld, Time} 


Indices: Fy: FF; O83 @ 
OF. TI x g dom(I’) O FeeX 
Cartesian: -Fe OF. Iya: X 
Or, A x g dom(A) Or, A OF; 7: Time 
Linear: -Fz OF, A,a:, A 


Fig. 1. Context Formation 


The index judgment describes how to introduce indices. The typing rules are 
given in Figure 2. The judgment O F; 7 : ø contains a single context, ©, for 
index variables. There are only two sorts of indices, identifiers and timesteps. 
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Index Judgments: 


T € Time LEd i:0€O 
——— ~ TIME —— Ip ——— ~ VAR 
O Fi 7: Time O F; t: id OFiiio 


Fig. 2. Index Typing rules 


The Cartesian judgment describes the Cartesian, or non-linear, fragment. 
This is a minimal simply typed lambda calculus with the addition of the G 
type, used for moving between the linear and Cartesian fragment, and explained 
further below. The judgment ©; I Fe t: A has two contexts; O for indices and 
I for Cartesian variables. 

The linear fragment is most of the language, and a selection of typing rules 
is given in Figure 3. The judgment is done w.r.t three contexts, O for index 
variables, I’ for Cartesian variables and A for linear variables. Many of the 
rules are standard for a linear calculus, except for the presence of the additional 
contexts. We will not describe the standard rules any further. 

The first non-standard rule is for ©. The introduction and elimination rules 
follow from the fact that © is a non-strong monad. More interesting is the select 
rule. Here we see the formal rule corresponding to the informal explanation in 
section 1. The important thing here is that we can not use any previously defined 
linear variable when typing t} and t4, since we do not actually know when the 
typing happens. Note, we can see the select rule as a binary version of the © 
let-binding. This could be extended to an n-ary version, but we do not do this in 
our core calculus. The rules for A @7 shows how to move between the judgment 
t: AQT andt:, A. That is, moving from knowing in the current timestep that 
t will have the type A at time 7 and knowing at time 7 that t has type A. The 
(F -I), (F -E), (G -I) and (G -E) rules show the adjoint structure of the language. 
The (G -I) rule takes a closed linear term of type A and gives it the Cartesian 
type G A. Note, because it has no free linear variables, it is safe to duplicate. The 
(G -E) rule lets us get an A without needing any linear resources. Conversely, the 
(F -I) rule embeds a intuitionistic term into the linear fragment and the (F -E) 
rule binds an intuitionistic variable to let us freely use the value. The (Delay) 
rule shows what happens when we actually know the timestep. The important 
part is A’ = A |” which means two things. One, all the variables in A are on 
the form a:, A, i.e., judgments at time 7 and two, we shift A into the future 
such that all the variables of A’ is of the form a : A. The way to understand this 
is, if all the variables in A are typed at time 7 and the conclusion is at time 7, 
it is enough to “move to” time 7 and then type w.r.t that timestep. Finally, we 
have (I,-E) and (@,-E). These allow us to work with linear unit and products 
at time T. These are added explicitly since they can not be derived by the other 
rules, and are needed for typing certain kinds of programs. 


Unfolding Events to Exists The type system as given above contains both 
OA and AQ@k, as two distinct ways to handle time. The former means that 
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O F; 7: Time OTA Fit A 
0;T;Atit@r:A@r 


(@-1) 


O F; t: Time O0;T;Ai iti: AOT O; I; Ae2,a:7, Afi t2 : B 
O; T; A1, A F; let a QT = ti inte: B 


(@-E) 


O; Fee:GA (G-E) O;P Fee: X 
O; D;- Fi runGe: A` O;l;-HiFe:Fz 


OT- Ai Frits FX O;T,x2:X;Aohi te: B 
0;T; Ai, Ae H let F x = tı inte: B 


(F-E) 


O,i:0;T;Art:A (v1) Oli s:o O;T;Abkit:V(t:c).A 
O; T; AF, Alio) t: Wi: A` O; I; AF ts : {s/i}A 


(V-E) 


Ohiso O; r; AF t:{s/i}A 
O; T; A, {s,t} :A(i:o).A 


(3-1) 


O; D; A F ti :A(i:o).A O,s : o; l; A2,a : {s/i}A Fi te: B 
O; I; Ay, Az fi let unpack {s,a} = tı inte: B 


(3E) 


O; I; A Fi tı: OA 0;T; A F te: OB 
@:T;a:A,t2: OB hi ti: OC O; T;b: B ti: OAH th: OC 
O; I; Ay, Az F; select (tı asais ti | t2 as b > th): OC 


(SELECT) 


O Fi T: Time A=A\ O;T;A' bit: A 
OIT; Ati t:, A 


(DELAY) 


O F; 7: Time OT Ai titi: | O;I; A Fi te: B 
O; IT; A1, A2 Fi let () @7 = tı inte: B 


(I-E) 


O F; T : Time 
O; I; Ai Fı tı: AQ B O: I; Ae,a:7 Abir Bkite:C 
O; I; Ai, A2 F let (a,b) @7 = tı in t2 : C 


(@,-E) 


Fig. 3. Selected Linear Typing rules 
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something of type A will arrive at some point in the future, whereas the latter 
means an A arrives at a specific point in the future. The strength of © is that 
is gives easy and concise typing rules, whereas the strength of A@&k is that 
it allows for a more precise usage of time. To connect these two, we add the 
linear isomorphism OA © Jk.A@ k to our language, which is witnessed by out 
and into, as part of the widget API. This isomorphism is true semantically, but 
can not be derived in the type system. In particular, this isomorphism allows 
the select rule to be given with ©, while still allowing the use timesteps when 
working with the resulting event. If we were to give the equivalent definition using 
timesteps, one would need to have some sort of constraint system for deciding 
which events happens first. Avoiding such constraints also allows for a simpler 
implementation, as everything is our type system can be inferred. 


Meta-theory of Substitution The meta-theory of Awidget is given in the form 
of a series of substitution lemmas. Since we have three different contexts, we will 
end up with six different substitutions into terms. The Cartesian to Cartesian, 
Cartesian to linear and linear to linear are the usual notion of mutual recursive 
substitution. More interesting is the substitution of indices into Cartesian and 
linear terms and types. We prove the following lemma, showing that typing is 
preserved under index substitution: 


Lemma 1 (Preservation of Typing under Index Substitution). 


¢:0'30@ OI ree: X ¢:0'30 O;T; Ati t:,A 
O';C(L) Fe C(e) : ¢(X) 6';C(L); C(A) Fi C(t) i= C(A) 


Both are these (and all other cases for substitution) are proved by a lengthy 
but standard induction over the typing tree. See the technical appendix for full 
proofs of all six substitution lemmas. 


Logical Interpretation Our language has a straightforward logical interpre- 
tation. The logic corresponding to the Cartesian fragment is a propositional 
intuitionistic logic, following the usual Curry-Howard interpretation. The logic 
corresponding to the substructural part of the language is a linear, linear tempo- 
ral logic. The single-use condition on variables means that the syntax and typing 
rules correspond to the rules of intuitionistic linear logic (i.e., the first occurrence 
of linear in “linear, linear temporal” ). However, we do not have a comonadic ex- 
ponential modality !A as a primitive. Instead, we follow the Benton—Wadler 
approach [4,3] and decompose the exponential into the composition of a pair of 
adjoint functors mediating between the Cartesian and linear logic. 

In addition to the Benton—Wadler rules, we have a temporal modality ©A, 
which corresponds to the eventually modality of linear temporal logic (i.e., the 
second occurrence of “linear” in “linear, linear temporal logic”). This connective 
is usually written F A in temporal logic, but that collides with the F modality 
of the Benton—Wadler calculus. Therefore we write it as OA to reflect its nature 
as a possibility modality (or monad). In our calculus, the axioms of $4.3 are 


Adjoint Reactive GUI Programming 301 


derivable: 


(T): A— OA 
(4) : O0 A — OA 
(.3) : O(A 8 B) — O((O4 8 B) p O(A 8 OB) O(A 8 B)) 


Since the ambient logic is linear, intuitionistic implication X — Y is replaced 
with the linear implication A — B, and intuitionistic conjunction X A Y is 
replaced with the linear tensor product A® B. It is easy to see that the first two 
axiom corresponds to the monadic structure of ©, and the .3 axiom corresponds 
to the select rule (with our syntax for select corresponding to immediately waiting 
for and then pattern-matching on the sum type). In the literature, the .3 axiom 
is often written in terms of the box modality OA [8], but we present it here in 
a (classically) equivalent formulation mentioning the eventually modality ©A. 
We do not need to an explicit box modality OA, since the decomposition of the 
exponential F(GA) from the linear-non-linear calculus serves that role. 

In our system, we do not offer the next-step operator >A. Since we model 
asynchronous programs, we do not let programmers write programs which wake 
up in a specified amount of time. We only offer an iterated version of this con- 
nective, A@n, which can be interpreted as >” A, and our term syntax has no 
numeric constants which can be used to demand a specific delay. 

Finally, the universal and existential quantifiers (in both the intuitionistic 
and linear fragments) are the usual quantifier rules for first-order logic. 


Semantics 


In this section we give a denotational model for Awidget. It is a linear-non-linear 
(LNL) hyperdoctrine [24,16] with the non-linear part being Set and the linear 
part being the category of internal relations over a suitable “reactive” category. 
The hyperdoctrine structure is used to interpret the quantification over indices. 
This model is nearly entirely standard: the most interesting thing is the reactive 
base category and the interpretation of widgets. It is well known that any sym- 
metric monoidal closed category (SMCC) models multiplicative intuitionistic 
linear logic (MILL), and it is similarly well known that the category of relations 
over Set can be give the structure of a SMCC by using the Cartesian product 
as both the monoidal product and monoidal exponential. This construction lift 
directly to any category of internal relations over a category that is suitably 
“Set-like”, i.e., a topos. Our base category is a simple presheaf category, and 
hence, we use this construction to model the linear fragment of Awidget- 


The Base Reactive Category The base reactive category is where the notion 
of time will arise and is it this notion that will be lifted all the way up to the LNL 
hyperdoctrine. The simplest model of “time” is Set, which can be understood 
as “sets through time” [23]. This can indeed by used as a model for a reactive 
setting, but for our purposes it is too simple, and further, depending on which 
ordering is considered for N, may have undesirable properties for the reactive 
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setting. Instead, we use the only slightly more complicated Sett', henceforth 
denoted R, where the ordering on N + 1 is the discrete ordering on N and 1 is 
related to everything else. Adding this “point at infinity” allows global reasoning 
about objects, an intuition that is further supported by the definition of the sub- 
object classifier below. Further, this model is known to be able to differentiate 
between least and greatest fixpoints [15], and even though we do not use this for 
AWidget; We consider it a useful property for further work (see section 1). Objects 
in R can be visualized as 


Aco 
A= Wa PNS 
Ao Aj sae 


We can think of Ax as the global view of the object and An as the local view 
of the object at each timestep. Morphisms are natural transformations between 
such diagrams and the naturality condition means that having a map from Ax 
to Bj. must also come with coherent maps at each timestep. 

In R we define two endofunctors, which can be seen as describing the passage 
of time: 


Definition 1. We define the later and previous endofunctors on R, denoted > 
and <, respectively: 


(PA)n:= < Ay n=n +1 
A —_— Aæ m= 00 


1 n=0 
(<A)n = i “i T- = 


Note that when we apply the later functor, the global view does not change, but 
the local views are shifted forward in time. 


Theorem 1. The later and previous endofunctors form an adjunction. 
Definition 2. The sub-object classifier, denoted 2, in R is the object 
Qe = P(N) +1 Qn = {0,1} 


For each n € N, Ra denotes whether a given proposition is true at the nth 
timestep. 2s gives the “global truth” of a given proposition. The left injection 
is some subset of N that denotes at which points in time something is true. The 
right injection denotes that something is true “at the limit”, and in particular, 
also at all timesteps. Note, a proposition can be true at all timesteps but not at 
the limit. This extra point at infinity is precisely what allows us the differentiate 
between least and greatest fixpoints. 


The Category of Internal Relations To interpret the linear fragment of 
the language, we will use the category of internal relations on R. Given two 
objects A and B in R, an internal relation is a sub-object of the product A x B. 
This can equivalently by understood as a map A x B > 92. The category of 
internal relations in the category where the objects are the objects of R and 
the morphisms A — B are internal relations A x B + N in R. We denote the 
category of internal relations as Rel. 
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Theorem 2. Using AQ B= Ax B and A — B= A x B as monoidal product 
and exponential, respectively, Relr is a symmetric monoidal closed category. 


Theorem 3. There is an adjunction < F & in Relr where < and © are the 
lifting of the previous and later functors from R to Rel. 


Definition 3. We define the iterated later modality or the “at” connective as 
a successive application of the later modality. 


>D’A=A 
> tD A = p(p*A) 
and we will alternatively write A@k to mean D* A. 
Definition 4. We define the event functor on Relr as an iterated later. 


OA: Relz > Relr 
(OA)co = Aco 
(OA)n = X(k : N).(>" A)n 


The event functor additionally carries a monadic structure (see [29] and the 
technical appendix). 


Theorem 4. We have the isomorphism OA = 3(n:N).A@n for any A 


Theorem 5. We have the following adjunctions between Set, R and Relg: 


A I 
gen N T TT 
Set JI R AL Relr 
Sao a Oe a 
lim P 


where A is the constant functor, lim is the limit functor, I is the inclusion 
functor and P is the image functor. This induces an adjunction between Set and 
Relg. 


The Widget Object One of the most important objects in Relr is the widget 
object. This object is used to interpret widgets and prefixes. The widget object 
will be defined with respect to an ambient notion of identifiers, which we will 
denote Id. These will be part of the hyperdoctrine structure define below, and 
for now, we will just assume such an object to exists. We will also use a notion of 
timesteps internal to the widget object. Note that this timestep is different from 
the abstract timestep used for defining Relr, but are related as defined below. 
We denote the abstract timesteps with Time. 

Before we can define the widget object, we need to define an appropriate ob- 
ject of commands. In our minimal Widget API, the only semantic commands will 
be setColor, onClick and onKeypress. The rest of the API is defined as morphisms 
on the widget object itself. To work with the semantics commands, we addition- 
ally need a compatibility relation. This relation describes what commands can 
be applied at the same time. In our setting this relation is minimal, but can in 
principle be used to encode whatever restrictions is needed for a given API. 
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Definition 5. We define the command object as 
Cmd = {(setColor, color), onClick, onKeypress} 
where color is an element of a “color” object. The compatibility relations are: 
(op, arg) P< (op’, arg’) iff (op = op’ = arg = arg’) 
The only non-compatible combination of commands is two application of the 
setColor command, the idea being that you can not set the color twice in the 
same timestep. 
We can now define the widget and prefix objects 


Definition 6. The widget object, denoted Widget, is indexed by i € Id and is 
defined as 


Widget, i = {(w,i) | w € P(Time x Cmd), (t,c) € wA (t,c) Ew > crac} 
Widget,, i = {(w,i) C Widget, i | V(t,c) € w,t < n} 
The prefix object, denoted Prefix, is indexed by i € Id and t € Time and is: 
Prefixo i t = { (P, i) C Widget, i | Y(t',c) € P,t <t} 


Prefix, it = {(P,i) C Prefixo i t| Y(t,c) E Pt <n} n<t 
l otherwise 


The widget object is a collection of times and commands keeping track of what 
has happened to it at various times — imagine a logbook with entries for each time 
step. At the point at infinity, the “global” behavior of the widget is defined, i.e., 
the full logbook of the widget. For each n, Widget, is simply what has happened 
to the widget so far, i.e., a truncated logbook. The prefix object is a widget 
object that is only defined up to some timestep, and is the unit after that. This 
yields a semantic difference between the widget where the color is set only once, 
and the widget where the color is set at every timestep. This reflects a real 
difference in actual widget behavior: if turnRedOnClick w later set to be blue, 
it will remain blue, but keepTurningRed w will turn back to being red. 
To manipulate widgets we define two “restriction” maps. 


Definition 7. We define the following on widgets and prefixes 
shift t : Widget i Rel, Widget i 
(shift t W)n = { (t -t,c) | t, EWatst} 


prefix t i : Widget i —Relz Prefix i t 


LC, EW]t <t} n<t 
| not 


(prefix t i W)n = l 


The intuition behind these is that prefix t i “cuts off” the widget after t, giving 
a prefix, whereas shift t shifts forward all entries in the widget by t. 

Using the above, we can now define the split and join morphisms. These are 
again given w.r.t ambient Id and Time objects, which will be part of the full 
hyperdoctrine structure: 
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Definition 8. We define the following morphisms on the widget object 
split 7 t : Widget i Rel, Prefix i t ® Widget i @ t 
(split i t w)n = (prefix t i w, shift t w)n 


join i t : Prefix i t & Widget 1 @t re. Widget i 


Gom it pw) = f?r Mg 


Wn-t not 


Linear-non-linear Hyperdoctrine So far we have not explained in details 
how to model the quantifiers in our system. To do this, we use the notion of 
a hyperdoctrine [22]. For first-order logic, this is a functor from a category of 
contexts and substitutions to the category of Cartesian closed categories, with 
the idea that we have one CCC for each valuation of the free first-order variables. 

As our category of contexts, we use a Cartesian category to interpret our 
index objects, Time and Id. The former is interpreted as N+ 1 and the latter as 
N. In our case, both Set and Relg are themselves hyperdoctrines w.r.t to this 
category of contexts, the former a first-order hyperdoctrine and the latter a mul- 
tiplicative intuitionistic linear logic (MILL) hyperdoctrine. Together these form 
a linear-non-linear hyperdoctrine through the adjunction given in Theorem 5. 


Definition 9. A linear-non-linear hyperdoctrine is a MILL hyperdoctrine L to- 
gether with a first-order hyperdoctrine C and a fiber-wise monoidal adjunction 
FP: LSC:G. 

Theorem 6. The categories Set and Relr form a linear-non-linear hyperdoc- 


trine w.r.t the interpretation of the indices objects, with the adjunction given as 
in Theorem 5. 


We refer the reader to the accompanying technical appendix for the full details. 


Denotational Semantics We the above, we have enough structure to give 
an interpretation of Awidget. Again, most of this interpretation is standard in 
the use of the hyperdoctrine structure, and we interpret © in the obvious way 
using the linear hyperdoctrine structure on Relr. As an example, we sketch the 
interpretation of the widget object and the setColor command below. 


Definition 10. We interpret the Widget i and Prefix i types using the widget 
and prefix objects: 

[O + Widget i] = Widget [O Hs i : Id] 

[O F Prefix i t] = Prefix [O Fs i : Id] [O Fs t : Time] 


and we interpret the setColor commands as: 
[setColor : Y(i : Id), Widget i & F Color —o Widget i] = 
{w Uw {(0, (setColor, col))} | w € [Widget i], col € [Color] } 


where Uw is a “widget union”, which is a union of sets such that identifiers 
indices and compatibility of commands are respected 
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This interpretation shows that a widget is indeed a logbook of events. Using 
the setColor command simply adds an entry to the logbook of the widget. Note 
we only set the color in the current timestep. To set the color in the future, we 
combine the above with appropriate uses of splits and joins. The interpretation of 
split and join are done using their semantic counterparts, and the interpretation 
of onClick and onKeypress are done, using our non-deterministic semantics, by 
associating a widget with all possible occurrences of the corresponds event. 


Soundness of Substitution Finally, we prove that semantic substitution is 
sound w.r.t syntactic substitution. As with the proofs of type preservation for 
syntactic substitution, there are several cases for the different kinds of substitu- 
tion, but the main results is again concerned with substitution of indices: 


Theorem 7. Given ¢:0' > 0,0; Fee: X andO;T;At,t: A then 


[c] 10; Fe e : X] = [O%5C(L) Fe Ce) : C] 
[c] 10:2; Ari t: A] = [6% (T); C(A) Fi C(t) : C(AD] 


Proofs for all six substitutions lemmas can be found in the technical appendix. 


Related and Future Work 


Much work has aimed at a logical perspective on FRP via the Curry-Howard 
correspondence [21,18,17,19,20,10,1]. As mentioned earlier, most of this work has 
focused on calculi that have a Nakano-style later modality [25], but this has the 
consequence that it makes it easy to write programs which wake up on every clock 
tick. In this paper, we remove the explicit next-step modality from the calculus, 
which opens the door to a more efficient implementation style based on the so- 
called “push” (or event /notification-based) implementation style. Elliott [12] also 
looked at implementing a push-based model, but viewed it as an optimization 
rather than a first-class feature in its own right. In future work, we plan on 
implementing a language based upon this calculus, with the idea that we can 
compile to Javascript, and represent widgets with DOM nodes, and represent 
the ©A and A@n temporal connectives using doubly-negated callback types (in 
Haskell notation, Event A = (A -> IO ()) -> I0 ()). This should let us write 
GUI programs in functional style, while generating imperative, callback-based 
code in the same style that a handwritten GUI program would use. 

Our model, in terms of Set’*!, enriches LTL’s semantics from time-indexed 
truth-values to time-indexed sets. The addition of the global view or point at 
infinity enables our model to distinguishes between least and greatest fixed 
points [15] (i.e., inductive and coinductive types), unlike in models of guarded 
recursion where guarded types are bilimit-compact [6]. This lets us encode tem- 
poral liveness and safety properties using inductive and coinductive types [10,2]. 

A recent development for comonadic modalities is the introduction of the 
so-called ’Fitch-style’ calculi [7,11] as an alternative to the Pfenning—Davies 
pattern-style elimination [26]. These calculi have been used successfully for FRP 
[1], and one interesting question is whether they extend to adjoint calculi as well 
—i.e., can the F (X) modality support a direct-style eliminator? 
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Abstract. We show that the existential fragment of Biichi arithmetic 
is strictly less expressive than full Biichi arithmetic of any base, and 
moreover establish that its X2-fragment is already expressively complete. 
Furthermore, we show that regular languages of polynomial growth are 
definable in the existential fragment of Biichi arithmetic. 


Keywords: logical theories - logical definability - quantifier elimination - auto- 
matic structures - regular languages 


1 Introduction 


This paper studies the expressive power of Büchi arithmetic, an extension of 
Presburger arithmetic, the first-order theory of the structure (N,0,1,+). Biichi 
arithmetic additionally allows for expressing restricted divisibility properties 
while retaining decidability. Given an integer p > 2, Büchi arithmetic of base p is 
the first-order theory of the structure (N,0,1,+,V,), where V, is a binary pred- 
icate such that V,(a,b) holds if and only if a is the largest power of p dividing b 
without remainder, i.e., a = p*, a | b and p- at b. 

Presburger arithmetic admits quantifier-elimination in the extended struc- 
ture (N,0,1,+, {c|-}-s1) additionally consisting of unary divisibility predicates 
c|- for every c > 1 [10]. It follows that the existential fragment of Presburger 
arithmetic is expressively complete, since any predicate c|- can be expressed 
using an additional existentially quantified variable. We study the analogous 
question for Büchi arithmetic and show, as the main result of this paper, that 
its existential fragment is, in any base, strictly less expressive than full Biichi 
arithmetic. Notably, this result implies that there does not exist a quantifier- 
elimination result à la Presburger for Biichi arithmetic, i.e., any extension of 
Buchi arithmetic with additional predicates definable in existential Biichi arith- 
metic does not admit quantifier elimination. 

A central result about Büchi arithmetic is that it is an automatic structure: 
a set M C N” is definable in Biichi arithmetic of base p if and only if M is 
recognizable by a finite-state automaton under a base p encoding of the natural 
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numbers. Equivalently, M is p-regular. This result was first stated by Biichi [4], 
albeit in an incorrect form, and later correctly stated and proved by Bruyère [2], 
see also [3]. Villemaire showed that the 13-fragment of Biichi arithmetic is ex- 
pressively complete [13, Cor. 2.4]. He established this result by showing how to 
construct a X3-formula defining the language of a given finite-state automaton. 
We observe that Villemaire’s construction can actually be improved to a Xə- 
formula and thus obtain a full characterization of the expressive power of Biichi 
arithmetic in terms of the number of quantifier alternations. 

Our approach to separating the expressiveness of existential Büchi arithmetic 
from full Biichi arithmetic in base p is based on a counting argument. Given a 
set M CN, define the counting function dm (n) := #(M N {p""1,...,p” — 1}) 
which counts the numbers of bit-length n in base p in M. If M is definable in 
existential Biichi arithmetic of base p, we show that dj, is either O(n“) for some 
c > 0, or at least c- p” for some constant c > 0 and infinitely many n € N. Since, 
for instance, for Mp C N defined as the set of numbers with p-ary expansion in 
the regular language {10,01}*, we have dm, (n) = @(2"/?), and hence Mp is not 
definable in existential Biichi arithmetic of base p. However, Mp being p-regular 
implies that M, is definable by a 2'9-formula of Biichi arithmetic of base p. 

We also show that existential Biichi arithmetic defines all regular languages 
of polynomial density, encoded as sets of integers. Given a language L C X*, 
let the counting function dz: N > N be such that dz(n) := #(LN X”). Szilard 
et al. [11] say that L has polynomial density whenever dz (n) is O(n) for some 
non-negative integer c. If moreover L is regular then Szilard et al. show that L is 
represented as a finite union of regular expressions of the form vpw7 vq +: WE U, 
such that 0 < k < c+ 1, vo, wi,v1,---,;Uk,Wk E X* [11, Thm. 3]. We show that 
existential Biichi arithmetic defines any language represented by a regular ex- 
pression vpw7 1 ::: w%vk, Which implies that existential Biichi arithmetic defines 
all regular languages of polynomial density. 


2 Preliminaries 


Given v = (v,...,va) € Z, we denote by ||v||,, the maximum norm of v, 
ie, ||vllo = max{|vi|,..., val}. For a matrix A € Z™*¢ with entries aij, 
1<i<m,1< j< d, we denote by ||/A|li,.. the one-infinity norm of A, i.e., 
Alli oo = max{]|ai1| +--+ laiaļ|:1 <i <m}. 

Let X be an alphabet and w € X*, we denote by |w| the length of w. Given 
a set U CN, we denote by w? := {w" : u € U}. Thus, for example, w* = wò. 

For an integer p > 2, let Xp := {0,...,p — 1}. We view words over X, as 
numbers encoded in p-ary most-significant bit first encoding. Tuples of num- 
bers of dimension n can be encoded as words over the alphabet 27). For w = 
Um +++ vo E (L7)™*, we denote by [w], € N” the n-tuple 


m 
[w] := Xvi p. 
i=0 
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We furthermore define [e],, := 0. Note that [-], is not injective since, e.g., 01 
and 001 both encode the number one. Given L C (X%)*, we define 


[Llp := {[w]p : w E L} CN”. 


Automata. A deterministic automaton is a tuple A = (Q, X, ô, qo, F), where 


— Q is a set of states, 

— X is a finite alphabet, 

— 0: Qx X +> QU{L}, where L ¢ Q, is the transition function, 
— qo € Q is the initial state, and 

— F C Q is the set of final states. 


For states q,r € Q and u € X, we write q > r if ô&(q,u) = r, and extend 
— inductively to words by stipulating, for w € X* and u € X, that q #5 r 
if there is s € Q such that q = s = r. The language of A is defined as 
L(A) = {w € X* : qo — ay, ay € F}. 

Note that a priori we allow automata to have infinitely many states and 
to have partially defined transition functions (due to the presence of L in the 
co-domain of ô). If Q is finite then we call A a deterministic finite automaton 
(DFA), and if in addition X = X% for some p > 2 and n > 1 then A is called 
a p-automaton. Throughout this paper, we assume, without loss of generality, 
that all states of a DFA are live, i.e., every state is reachable from the initial 
state and can reach an accepting state. 


Arithmetic theories. As stated in the introduction, Presburger arithmetic is the 
first-order theory of the structure (N,0,1, +), and Büchi arithmetic of base p 
the first-order theory of the extended structure (N, 0,1, +, Vp). We write atomic 
formulas of Presburger arithmetic as a - æ = c, where a = (a1,..., aq)" with 
ai € Z, c E€ Z, and æ = (21,...,£q) is a vector of unknowns. In Büchi arithmetic 
we additionally have atomic formulas V,(x,y) for the unknowns x and y. For 
technical convenience, we assert that V,(x,0) never holds.? We write (x) or 
(x) to indicate that x or a vector of unknowns æ occurs free in ®. If there 
are further free variables in ©, we assume them to be implicitly existentially 
quantified. 

We may without loss of generality assume that no negation symbol occurs in 
a formula of Biichi arithmetic. First, we have ~(a -x =c)=a-a<c—1Va- 
x >c+1, and the order relation < can easily be expressed by introducing an 
additionally existentially quantified variable. Moreover, we have 


AV, (#,y) = y = 0 V 3z: Vi (z,y) A7(@ = 2). 


Finally, P (x) := Vp(x, x) denotes the macro asserting that x is a power of p. 
Given a formula (æ) of Biichi arithmetic of base p, we define 


[P(x)], := {me N’ : d[m/a] is valid} , 


3 Other conventions are possible, e.g., asserting that V>(x, 0) holds if and only if x = 1 
as in [3], but this does not change the sets of numbers definable in Biichi arithmetic. 
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where, for m = (m1,..., Ma) and æ = (z1,..., £4), ®[fm/a] is the formula 
obtained from replacing every x; by m; in &. The set of sets of numbers definable 
in Presburger arithmetic is denoted by 


PA := {[£(x)] : &(z) is a formula of Presburger arithmetic} . 


Analogously, we define the sets of numbers definable in fragments of Biichi arith- 
metic of base p with a fixed number of quantifier-alternations as 


3,-BA, := {[8(x)]p : P(x) is a X;-formula of Biichi arithmetic of base p} . 


Finally, BA, := U;s, 5i-BA, denotes the sets of numbers definable in Biichi 
arithmetic of base p. 

For separating existential Büchi arithmetic from full Butchi arithmetic, we 
employ some tools from enumerative combinatorics. As defined in [15], a formula 
of parametric Presburger arithmetic with parameter t is a formula of Presburger 
arithmetic ®, in which atomic formulas are of the form a- x = c(t), where c(t) 
is a univariate polynomial with indeterminate t and coefficients in Z. For n € N, 
we denote by ®, the formula of Presburger arithmetic obtained from replacing 
c(t) in every atomic formula of P; by the value of c(n). We associate to a formula 
P(x) the counting function #®;(a): N —> NU {co} such that 


#P:(x)(n) = #[Pn(x)]. 


Throughout this paper, we constraint ourselves to formulas ®,(x) of parametric 
Presburger arithmetic in which c(t) is the identity function and #;(a)(n) is 
finite for all n € N. 


Definition 1. A function f: N > Q is an eventual quasi-polynomial if there 
exist a threshold t € N and polynomials po,.-.,Pm—1 € Q|a] such that for all 
n >t, f(n) =pi(n) whenever n = i mod m. 


Given an eventual quasi-polynomial f with threshold t and n > t, we denote 
by fn the polynomial p; such that n = i mod m. We say that the polynomials 
Po,- --,Pm—1 constitute the eventual quasi-polynomial f. A result by Woods [15, 
Thm. 3.5(b)] shows that the counting functions associated to parametric Pres- 
burger formulas as defined above are eventual quasi-polynomial. 


Proposition 1 (Woods). Let B(x) be a formula of parametric Presburger 
arithmetic. Then #,(a) is an eventual quasi-polynomial. 


Semi-linear sets. A result by Ginsburg and Spanier establishes that the sets of 
numbers definable in Presburger arithmetic are semi-linear sets [7]. A linear set 
in dimension d is given by a base vector b € N? and a finite set of period vectors 
P=({p,,.--,p,} C N? and defines the set 


L(b, P) := {b+ ài- py tee + An: Dy i AEN, L<i<n}. 


A semi-linear set is a finite union of linear sets. For a finite B C N4, we write 
L(B, P) for Usep L(b, P). Semi-linear sets of the form L(B, P) are called hybrid 


314 C. Haase and J. Różycki 


linear sets in [5], and it is known that the set of non-negative integer solutions 
of a system of linear Diophantine inequalities S$: A -æ > c is a hybrid linear 
set [5]. 

Semi-linear sets in dimension one are also known as ultimately periodic sets. 
In this paper, we represent an ultimately periodic set as a four-tuple U = 
(t,£, B, R), where t > 0 is a threshold, l > 0 is a period, B C {0,...,t— 1} 
and R C {0,...,@—1}, and U defines the set 


[JU] = BUf{t+r+é-i:reRi>o}. 


3 The inexpressiveness of existential Buchi arithmetic 


We now establish the main result of this paper and show that the existential 
fragment of Biichi arithmetic is strictly less expressive than general Biichi arith- 
metic. 


Theorem 1. For any base p > 2, X1-BA, # BA». In particular, there exists 
a fixed regular language L C {0,1}* such that [L], € BA, \ X1-BA, for every 
base p> 2. 


Given a set M CN, recall that for a fixed base p > 2, dm (n) counts the numbers 
of bit-length n in base p in M. As already discussed in the introduction, we prove 
Theorem 1 by characterizing the growth of dj, for sets M definable in Biichi 
arithmetic. 

For any formula (x) of existential Biichi arithmetic in prenex normal form, 
we can with no loss of generality assume that its matrix is in disjunctive normal 
form, i.e., a disjunction of systems of linear Diophantine equations with valuation 
constraints, each of the form 


A-xr=c/ VAN Volanti), 
tel 


where the x; and y; are unknowns from the vector of unknowns æ. For M = 
[(x)]p, in order to determine the growth of dm, it suffices to determine the 
maximum growth occurring in any of its systems of linear Diophantine equations 
with valuation constraints in the matrix of (x), which in turn can be obtained 
by analyzing the growth of the number of words accepted by a p-automaton 
defining the set of solutions of such a system. 

Let S: A -x = c be a system of linear Diophantine equations such that, 
throughout this section, A is an m x d integer matrix, and fix a base p > 2. Fol- 
lowing Wolper and Boigelot [14], we define an automaton A := (Q, X, ô, qo, F) 
whose language encodes all solutions of S over the alphabet Xp: 


— Q := Z2", 
— 0(q,u) :=p:q +A- u for all q € Q and u € X4, 
— qo := 0, and 


— F := {c}. 
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As discussed in [14], see also [8], only states q such that ||q||o < ||Alli,o and 
llall < lel]. can reach the accepting state. Hence, all words w € (274)* such 
that A-[w] = c only visit a finite number of states of A, and to obtain the 
p-automaton A(S) defining the sets of solutions of S we subsequently restrict Q 
to only such states. The following lemma recalls an algebraic characterization 
of the reachability relation of A(S) established in the proof of Proposition 14 in 
[8]. 

Lemma 1. Let q,r € Z™ be states of A(S), w € (X4)" and æ = [w]p. Then 
q & r if and only if there is y € N such that 


q=r-ytA-@, |zllo <y, y =p". 


Let x be a distinguished variable of æ. For a word w € (X@)* encoding 
solutions of S, denote by 7,(w) the word v € X} obtained from projecting w 
onto the component of w corresponding to x. Let q be a state of a p-automaton 
A, define the counting function Cy: N— N as 


Cy2(n) := # {m2 (w) q >q wE mg") : 


We now show that for p-automata arising from systems of linear Diophantine 
equations, Cy,, can be obtained from an eventual quasi-polynomial. 


Lemma 2. For the p-automaton A(S) associated to S: A. a = c with states 
Q and all q € Q, there is an eventual quasi-polynomial f such that C} a(n) = 
f(p") for alln € N. Moreover, for all sufficiently large n € N, fpr is a linear 
polynomial. 


Proof. Let q = q € Z*. By Lemma 1, q S q for w € (32)" if and only if there 
is a y € N such that 
q=q:y +A: z, |æ <y, y= p”, 
where « = [w]p. The set of solutions of S’: A- æ +q- y = q, |lællo < y is a 
hybrid linear set L(D, R) C N°+!. Let L(B, P) C N? be obtained from L(D, R) 
by projecting onto the components corresponding to x and y, and assume that 
x corresponds to the first and y to the second component of L(B, P). Let M; := 
N x {t} and 
fŒ) = #(L(B, P) NM). 

Observe that Cy,c(n) = f(p”) and that f(n) is finite for all n € N due to the 


constraint x < y. Let P = {p,,...,p,}, the following formula of parametric 
Presburger arithmetic defines L(B, P) O M:: 


k 
x 
P(x, y) := dz +++ ze: Vv (5) =b+ J Pi zi Ny=t 
i=1 


bEB 


Thus, f = #®,(x,y) and, by application of Proposition 1, f is an eventual 
quasi-polynomial. 

Since Cq.2(n) < p”—1 for all n € N, we in particular have that all polynomials 
fpr constituting f are linear as they would otherwise outgrow Cy. 
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The next step is to lift Lemma 2 to systems of linear Diophantine equations 
with valuation constraints. To this end, we define a DFA whose language encodes 
the set of all solutions of predicates of the form Vp(x, y). Formally, for S: V,(z, y) 
we define A(S) := (Q, X2, ô, qo, F) such that 


— Q:= {0,1}, 

— 6(0,u) := 0 for all u € ©? such that 7,(u) = 0 

— 6(0, u) := 1 for all u € Xd such that 7,(u) = 1 and 7y(u) > 0, 
— 6(1,u) := 1 for all u € X such that m2(u) = 7 

— qo := 0, and 

— F:= {1}. 


For S: A- xæ = CA M<i<e Vp(ai. yi), we denote by A(S) the DFA that can 
be obtained from the standard product construction on all DFA for the atomic 
formulas of S. Hence, the set of states of A(S) is a finite subset of Z™” x {0, 1}". We 
now show that the number of words along a cycle of A(S) can also be obtained 
from an eventual quasi-polynomial. 


Lemma 3. Let S be a system of linear Diophantine equations with valuation 
constraints with the associated DFA A(S) with states Q, and let q € Q. There 
is an eventual quasi-polynomial f such that Cy,.(n) = f(p"). Moreover, fpr is 
a linear polynomial for all n € N. 


Proof. Let S: A-@ = CA \ycice Volti yi), we have Q C Z™ x {0,1} and 
thus q = (q,b1,...,b2) € Q. Any self-loop q =s q with q = (q,b1,...,be) is 
a self-loop for the DFA induced by the system of linear Diophantine equations 
A+ æ = c with the additional requirement that 7,,([w],) = 0 for alll <i<@ 
and furthermore zy, ([w]») = 0 whenever b; = 1. Thus (q,0) “+s (q, 0) where 


Siiveaek N ma0n. ÅN w=. 
1<i<e 1<i<é,b;=1 


Conversely, (q,0) “3s: (q,0) immediately gives q “+s q. The statement is now 
an immediate consequence of the application of Lemma 2 to S’. 


We will from now on implicitly apply Lemma 3. As a first application, we show 
that Lemma 3 allows us to classify the DFA associated to a system of linear 
Diophantine equations with valuation constraints. 


Lemma 4. The DFA A(S) associated to a system of linear Diophantine equa- 
tions with valuation constraints S with states Q has either of the following prop- 
erties: 


(i) there is q E€ Q such that C4 x is an eventual quasi-polynomial f and fn is 
a non-constant polynomial for infinitely many n € N; or 
(ii) there is a constant d > 0 such that Cq,(n) < d for allq E€ Q andn EN. 
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Proof. Suppose A(S) has Property (i). For a contradiction, suppose d > 0 exists. 
Let f be the eventual quasi-polynomial from Property (i). Every non-constant 
polynomial fp» constituting f is of the form a.x +b with a > 0. As there are 
infinitely many such n, there is some linear polynomial g(a) = a- x +b such that 
g = fp» for infinitely many n € N. Hence g(p”) > d for some sufficiently large 
neN. 

For the converse, suppose that A(S) does not have Property (i). Then there 
are l,m > 0 such that all fp» are constant polynomials bounded by some 
value m € N for all n > £, q E€ Q and f = Cy. Hence we can choose 
d = max({Cy2(n):¢€Q,0<n< €}U{m}). 


We are now in a position to prove a dichotomy of the growth of the number 
of words accepted by a DFA corresponding to a system of linear Diophantine 
equations with valuation constraints. 


Lemma 5. Let S be a fixed system of linear Diophantine equations with val- 
uation constraints with the associated DFA A(S). Let L = m,(L(A(S))), then 
either 


(i) dr(n) > c- p” for some fixed constant c > 0 and infinitely many n € N; or 
(ii) dy(n) = O(n‘) for some fixed constant c > 0. 


Proof. Let A(S) have the set of states Q, initial state qo and final state qf. The 
DFA A(S) has one of the two properties stated in Lemma 4. 

If A(S) has the Property (i) of Lemma 4 then consider q E€ Q such that Cq,x 
is an eventual quasi-polynomial f such that fp» is non-constant for infinitely 
many n € N, and let i; < i2 < ... € N be such that all Spi are the same 


non-constant polynomial a -x + b. Consider v and w such that qo > q > qf- 
Then for all sufficiently large j we have 


drli; + [w| + |w|) > a- p” +b > c- pGtelt le) 


for some fixed constant c > 0. 

Otherwise, A(S) has the Property (ii) of Lemma 4, and there is some fixed 
d > 0 such that Cy.(n) < d for all n € N and q € Q. Every w € L such that 
|w| = n can uniquely be decomposed as w = vow1vi w2: WkUk for some k < |Q| 
such that 


vo Wi V1 W2 V2 Wk Uk 
qo —> Ga, > day > daz > daz > qaz `t —? da, —? Vanya (1) 


where qapı = 4f, a; É Ga; for all i # j and each qa, 25 daiņı Corresponds to 
a loop-free path in A(S). Since C,,. < d, there are at most d” < d'#2) words 
u € L of length n that have the same sequence of states in the decomposition of 
Eq. (1) at the same position where they occur in w. Moreover, there are at most 
GAZ (340) < n?#®) possibilities at which the states qa, can appear in any 
u E€ L of length n for any particular sequence of states in the decomposition of 
Eq. (1). Finally, there are at most (#Q)'#®) such sequences. We thus derive 


for some constant c > 0. 


318 C. Haase and J. Różycki 


Corollary 1. Let B(x) be a fixed formula of existential Btichi arithmetic of base 
p> 2. Let M = [£(x)]p, then either: 


(i) dy(n) > c- p” for some fixed constant c > 0 and infinitely many n € N; or 
(ii) dm(n) = O(n*) for some fixed constant c > 0. 


Proof. Without loss of generality we may assume that (x) is in disjunctive 
normal form such that S(x) = \/,-, i(x) and each ;(x) is a system of linear 
Diophantine equations with valuation constraints S;. For M; = [£;(x)]p, we 
obtain dm, by application of Lemma 5. If there is a constant c > 0 such that 
dm; = O(n°) for all i € I then dm = O(n°). Otherwise, if there is some i € I 
such that dm,(n) > c- p” for some constant c > 0 and infinitely many n € N 
then dm(n) > c- p” for infinitely many n € N. 


As an immediate consequence of Corollary 1, we obtain: 
Corollary 2. Let p > 2 and M CN such that f = o(dm) for any f = O(n’), 
c> 0, and dm = o(p”). Then M ¢ X1-BA;. 
For any p > 2, consider L = {01,10}* C X} and M = [L]p. We have dm(n) = 
O(2”/2), and thus Corollary 2 yields M ¢ Xı-BAp. However, since M is p- 
regular, we have M € BA,. This concludes the proof of Theorem 1. 


4 Expressive completeness of the X--fragment of Büchi 
arithmetic 


For a regular language L C (28)* given by a DFA, Villemaire shows in the 
proof of Theorem 2.2 in [13] how to construct a X3-formula of Büchi arithmetic 
P(x) such that [Sz(x)]p = [L]p. This construction is modularized and relies 
on an existential formula ®, (x,y) expressing that “x is a power of p and the 
coefficient of this power of p in the representation of y in base p is j”: 


Bp jl, y) = P(x) A 3t Ju 3z: (y=ztj-2t+HACz <a)A 
A ((Vp(u,t) Aa <u) Vt=0). 


The only reason why ®z (æ) in [13] is a Y3-formula is that P, ;(x, y) appears in an 
implication both as antecedent and as consequent inside an existential formula. 
Thus, if one could additionally define ®, ;(z,y) by a I,-formula then ;(a) 
immediately becomes a 5’-formula. That is, however, not difficult to achieve by 
defining: 


Pp (x,y) = Py(x) A Ys Yt Vu Yz: 
(As = 245-2 +8) V (2 > 2) V Volu, t) V2 2u) Aat =0))) > (5 =4). 
Note that the order relation can also be expressed by a universal formula: x < y 
if and only if Vz: (y+z = x) > (z = 0). Thus, (x,y) is indeed a M, formula. 


Combining ®, ;(x, y) with the results in [13], we obtain that the X2-fragment 
of Büchi arithmetic is expressively complete. 


Theorem 2. For any base p > 2, X2.-BA, = BA,. 
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5 Existential Büchi arithmetic defines regular languages 
of polynomial growth 


For a language L C X*, Szilard et al. [11] say that L has polynomial growth if 
dr(n) = O(n°) for some constant c > 0 and all n € N. One of the main results 
of [11] is that a regular language L has polynomial growth if and only if L can 
be represented as a finite union of regular expressions of the form 


VOWŽVI +++ U_—-1W EU - (2) 
Denote by 
PREG, := {[L],:L¢ x, Lis a regular language of polynomial growth} 


the numerical encoding of all regular languages of polynomial growth in base 
p. We show in this section that existential Büchi arithmetic defines any regular 
language of the form in Eq. (2). This immediately gives the following theorem. 


Theorem 3. For any base p > 2, PREG, C %-BA,. 


We first require a couple of abbreviations. Define 
W,(z,y) := Poly) ^T <y <p: z, 


which expresses that y is the smallest power of p strictly greater than zx. 
Let 2 > 0, Lohrey and Zetzsche introduce in [9] the predicate S¢(x, y) which 
holds whenever 
x =p" and y = p’*** for some i,r > 0. 


They show that S(x,y) is definable in existential Büchi arithmetic. Since y = 
p**.« if and only if y = x mod (pf — 1), one can obtain Sẹ as 


Selz, y) := P (£) A Py(y) A Sz: (y—2 = (p — 1) z) Ay 2 z. 


We slightly generalize Sọ. Let U C N, define the predicate Sy(a,y) to hold 
whenever 


r+u 


xr=p andy=p for some r >OandueU. 


Lemma 6. For any ultimately periodic set U C N, the predicate Syu(x,y) is 
definable in existential Büchi arithmetic 


Proof. Suppose that U is given as (t, 4, B, R), we define 


Sulz, y) = Pp(z) A Poly) A V y=- ev V Sept - x,y). 
bE B rER 


Towards proving Theorem 3, we now show that we can define [w*], for any 
we Lp. 
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Lemma 7. For any w € X}, [w*], is definable by a formula of existential Biichi 
arithmetic By» (x). 


Proof. Let m = pf be the smallest power of p greater than [w],. Then for any 
k>0, 
k-1 
[wp = [wp - m = [w]p: 


i=0 


mf —1 


m-—1 ` 


It follows that [w*], is defined by 


Pur (x) = x = 0 V Jy: Selm, y) A (m — 1) -x = [w]p: (y — 1). 


Building upon Lemma 7, we now show that, for any w € Xp, we can define [wT], 
shifted to the left by a number of zeros specified by an ultimately periodic set. 


Lemma 8. Let w € Xf and U be an ultimately periodic set. Then [wt0"], is 
definable by a formula of existential Biichi arithmetic By w+ (£). 


Proof. The case w € 0* is trivial. Thus, let w = w’-wo such that w € X% (Xp \ 
{0}) and wo € 0*. Observe that for i < j, [w’]p — [w’], = [w?~'0']p. We define 


Py wt (x) = dy 3z: y < ZA Bux (y) A Pyx(z) A VV x= p- (z = y)^ 
0<i<|w| 


A As st: Su(1,s) A Vp(t,2) At = plwoltt. ș, 


The first line defines the set [w*0*],,, whereas the second line ensures that the 
tailing number of zeros is in the set U + |wo]. 


We have now all the ingredients to prove the following key proposition. 


Proposition 2. Let L = vpwj{v1--+vg—1wzue- Then [L], is definable in exis- 
tential Biichi arithmetic. 


Proof. The proposition follows from showing the statement for languages of the 
form 
= vow] vi a -Uk—1W} Uk : 


We show the statement by induction on k. The induction base case k = 0 is 
trivial. For the induction step, assume that for M = vı w v2 -| ‘Uk—1W} Uk, [M] 
is defined by a formula &; (x) of existential Büchi arithmetic, and let vo, wı € 2. 

We first show how to define N = wi viw? ve tee Vk—1W} Uk. To this end, factor 
M = Mo- M’, where Mo C 0* and M C (Xp \ {0}) - X}. Observe that [M’], = 
[fx(x)]p, and that both U = {|w| : w € M} and V = {|u| : w € Mo} are 
ultimately periodic sets, cf. [6,12]. We moreover assume that wı ¢ 0*, otherwise 
we are done. Factor w, = w’ - wo such that w’ € X3 - (Xp \ {0}) and wo € 0*. 
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Recall that W,(a,y) holds if and only if y is the smallest power of p strictly 
greater than x, and define 


k+l) = dy dz: Oe(y) A Bu w+ (z) AZ =y zA 
A As It: Wp(y, s) A Sv (s, t) A Vp(pl@ol*? . t, z). 


The first line composes x as the sum of some y € |M]p and z € [wt0"],. 
The second line ensures that the number of zeros between the leading bit of y 
and the last non-zero digit of z in their p-ary expansion is in V + |wo|. Thus, 
[N] = Wr (2)]: 

We now show how to define L’ along similar lines. To this end, factor N = 
No: N’ such that No C 0* and N’ C (Xp \{0})- X}, and let T = {|w| : w € 
No}, which is an ultimately periodic set. We now obtain the desired formula of 
existential Büchi arithmetic as 


Pry (2) = Iy3z: x = y +p: z [volp A Verily) As: Wply, 8) A Sr(s, 2). 


Since we can define any regular language of the form (2) in existential Büchi 
arithmetic via Proposition 2, we can define a finite union of such languages 
and thus define all regular languages of polynomial growth in existential Büchi 
arithmetic. This completes the proof of Theorem 3. 

Note that PREG, Z PA for any base p > 2: since M = [8(x)] is ulti- 
mately periodic for any formula S(x) of Presburger arithmetic, whenever [(x)] 
is infinite it follows that dm(n) = R(p”), i.e., not of polynomial growth. 


6 Conclusion 


The main result of this paper is that existential Biichi arithmetic is strictly 
less expressive than full Büchi arithmetic of any base. This is in contrast to 
Presburger arithmetic, for which it is known that its existential fragment is 
expressively complete. 

When considered as the first-order theory of the structure (N,0,1,+), Pres- 
burger arithmetic does not have a quantifier elimination procedure. The extended 
structure (N,0,1,+, {c]-}-s1), however, admits quantifier elimination. Those ad- 
ditional divisibility predicates are definable in existential Presburger arithmetic. 
Our main result shows that even if we extended the structure underlying Biichi 
arithmetic with predicates definable in existential Büchi arithmetic, the resulting 
first-order theory would not admit quantifier-elimination. On the positive side, 
Benedikt et al. [1, Thm. 3.1] give an extension of Büchi arithmetic which has 
quantifier elimination. 

We conclude this paper with an interesting yet likely challenging open prob- 
lem: Is it decidable whether a set definable in Biichi arithmetic is definable in 
existential Biichi arithmetic? 
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Abstract. This paper considers parametricity and its resulting free the- 
orems for nested data types. Rather than representing nested types via 
their Church encodings in a higher-kinded or dependently typed exten- 
sion of System F, we adopt a functional programming perspective and 
design a Hindley-Milner-style calculus with primitives for constructing 
nested types directly as fixpoints. Our calculus can express all nested 
types appearing in the literature, including truly nested types. At the 
term level, it supports primitive pattern matching, map functions, and 
fold combinators for nested types. Our main contribution is the construc- 
tion of a parametric model for our calculus. This is both delicate and chal- 
lenging: to ensure the existence of semantic fixpoints interpreting nested 
types, and thus to establish a suitable Identity Extension Lemma for our 
calculus, our type system must explicitly track functoriality of types, and 
cocontinuity conditions on the functors interpreting them must be ap- 
propriately threaded throughout the model construction. We prove that 
our model satisfies an appropriate Abstraction Theorem and verifies all 
standard consequences of parametricity for primitive nested types. 


1 Introduction 


Algebraic data types (ADTs), both built-in and user-defined, have long been at 
the core of functional languages such as Haskell, ML, Agda, Epigram, and Idris. 
ADTs, such as that of natural numbers, can be unindexed. But they can also be 
indexed over other types. For example, the ADT of lists (here coded in Agda) 


data List (A: Set) : Set where 

nil : List A 

cons : A —> List A —> List A 
is indexed over its element type A. The instance of List at index A depends only 
on itself, and so is independent of List B for any other index B. That is, List, 
like all other ADTs, defines a family of inductive types, one for each index type. 

Over time, there has been a notable trend toward data types whose non- 

regular indexing can capture invariants and other sophisticated properties that 
can be used for program verification and other applications. A simple example 
of such a type is given by Bird and Meertens’ [4] prototypical nested type 


data PTree (A: Set) : Set where 
pleaf : A—PTreeA 
pnode : PTree (A x A) + PTree A 


of perfect trees, which can be thought of as constraining lists to have lengths that 
are powers of 2. The above code makes clear that perfect trees at index type A 
are defined in terms of perfect trees at index type A x A. This is typical of nested 
types, one type instance of which can depend on others, so that the entire family 
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of types must actually be defined at once. A nested type thus defines not a family 
of inductive types, but rather an inductive family of types. Nested types include 
simple nested types, like perfect trees, none of whose recursive occurrences occur 
below another type constructor; “deep” nested types [18], such as the nested type 


data PForest (A: Set) : Set where 
fempty : PForest A 
fnode : A— PTree (PForest A) — PForest A 


of perfect forests, whose recursive occurrences appear below type constructors 
for other nested types; and truly nested types, such as the nested type 


data Bush (A: Set) : Set where 
bnil : Bush A 
bcons : A — Bush (Bush A) — Bush A 


of bushes, whose recursive occurrences appear below their own type constructors. 

Relational parametricity encodes a powerful notion of type-uniformity, or 
representation independence, for data types in polymorphic languages. It for- 
malizes the intuition that a polymorphic program must act uniformly on all of 
its possible type instantiations by requiring that every such program preserves 
all relations between pairs of types at which it is instantiated. Parametricity was 
originally put forth by Reynolds [24] for System F [11], the calculus at the core of 
all polymorphic functional languages. It was later popularized as Wadler’s “the- 
orems for free” [27], so called because it can deduce properties of programs in 
such languages solely from their types, i.e., with no knowledge whatsoever of the 
text of the programs involved. Most of Wadler’s free theorems are consequences 
of naturality for polymorphic list-processing functions. However, parametricity 
can also derive results that go beyond just naturality, such as correctness for 
ADTs of the program optimization known as short cut fusion [10,14]. 

But what about nested types? Does parametricity still hold if such types 
are added to polymorphic calculi? More practically, can we justifiably reason 
type-independently about (functions over) nested types in functional languages? 

Type-independent reasoning about ADTs in functional languages is usually 
justified by first representing ADTs by their Church encodings, and then rea- 
soning type-independently about these encodings. This is typically justified by 
constructing a parametric model — i.e, a model in which polymorphic func- 
tions preserve relations á la Reynolds — for a suitable fragment of System F, 
demonstrating that an initial algebra exists for the positive type constructor cor- 
responding to the functor underlying an ADT of interest, and showing that each 
such initial algebra is suitably isomorphic to its corresponding Church encoding. 
In fact, this isomorphism of initial algebras and their Church encodings is one 
of the “litmus tests” for the goodness of a parametric model. 

This approach works well for ADTs, which are always fixpoints of first-order 
functors, and whose Church encodings, which involve quantification over only 
type variables, are always expressible in System F. For example, List A is the 
fixpoint of the first-order functor F X = 1+ A x X and has Church encoding 
Va.a > (A > a > a) > a. But despite Cardelli’s [7] claim that “virtually 
any basic type of interest can be encoded within F2” — i.e., within System 
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F — non-ADT nested types cannot. Not even our prototypical nested type of 
perfect trees has a Church encoding expressible in System F! Indeed, PTree A 
cannot be represented as the fixpoint of any first-order functor. However, it can 
be seen as the instance at index A of the fixpoint of the higher-order functor 
HFA = (A > FA) > (F(Ax A) > FA) > FA. It thus has Church 
encoding Vf.(Va.a > fa) > (Va. f(a x a) > fa) > Va. fa, which requires 
quantification at the higher kind x — » for f. A similar situation obtains for 
any (non-ADT) nested type. Unfortunately, higher-kinded quantification is not 
available in System F, so if we want to reason type-independently about nested 
types in a language based on it we have only two options: 7) move to an extension 
of System F, such as the higher-kinded calculus Fy or a dependent type theory, 
and reason via their Church encodings in a known parametric model for that 
extension, or ii) add nested types to System F as primitives — i.e., as primitive 
type-level fixpoints — and construct a parametric model for the result. 

Since the type systems of Fy and dependent type theories are designed to 
extend System F with far more than non-ADT data types, it seems like seri- 
ous overkill to pass to their parametric models to reason about nested types in 
System F. Indeed, such calculi support fundamentally new features that add 
complexity to their models that is entirely unnecessary for reasoning about 
nested types. This paper therefore pursues the second option above. We first 
design a Hindley-Milner-style calculus supporting primitive nested types, to- 
gether with primitive types of natural transformations representing morphisms 
between them. Our calculus can express all nested types appearing in the lit- 
erature, including truly nested types. At the term-level, it supports primitive 
pattern matching, map functions, and fold combinators for nested types.! Our 
main contribution is the construction of a parametric model for our calculus. This 
is both delicate and challenging. To ensure the existence of semantic fixpoints 
interpreting nested types, and thus to establish a suitable Identity Extension 
Lemma, our type system must explicitly track functoriality of types, and co- 
continuity conditions on the functors interpreting them must be appropriately 
threaded throughout the model construction. Our model validates all standard 
consequences of parametricity in the presence of primitive nested types, includ- 
ing the isomorphism of primitive ADTs and their Church encodings, and cor- 
rectness of short cut fusion for nested types. The relationship between naturality 
and parametricity has long been of interest, and our inclusion of a primitive type 
of natural transformations allows us to clearly delineate those consequences of 
parametricity that follow from naturality, from those, such as short cut fusion 
for nested types, that require the full power of parametricity. 


1 We leave incorporating general term-level recursion to future work because, as 
Pitts [23] reminds us, “it is hard to construct models of both impredicative poly- 
morphism and fixpoint recursion”. In fact, as the development in this paper shows, 
constructing a parametric model even for our predicative calculus with primitive 
nested types — and even without term-level fixpoints — is already rather involved. 
On the other hand, our calculus is strongly normalizing, so it perhaps edges us 
toward the kind of provably total practical programming language proposed in [27]. 
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Structure of this Paper We introduce our calculus in Section 2. Its type sys- 
tem is based on the level-2-truncation of the higher-kinded grammar from [17], 
augmented with a primitive type of natural transformations. (Since [17] contains 
no term calculus, the issue of parametricity could not even be raised there.) In 
Section 3 we give set and relational interpretations of our types. Set interpre- 
tations are possible precisely because our calculus is predicative — as ensured 
by our primitive natural transformation types — and [17] guarantees that local 
finite presentability of Set makes it suitable for interpreting nested types. As is 
standard in categorical models, types are interpreted as functors from environ- 
ments interpreting their type variable contexts to sets or relations, as appropri- 
ate. To ensure that these functors satisfy the cocontinuity properties needed for 
the semantic fixpoints interpreting nested types to exist, set environments must 
map k-ary type constructor variables to appropriately cocontinuous k-ary func- 
tors on sets, relation environments must map k-ary type constructor variables to 
appropriately cocontinuous k-ary relation transformers, and these cocontinuity 
conditions must be threaded through our type interpretations in such a way that 
an Identity Extension Lemma (Theorem 1) can be proved. Properly propagating 
the cocontinuity conditions requires considerable care, and Section 4, where it is 
done, is (apart from tracking functoriality in the calculus so that it is actually 
possible) where the bulk of the work in constructing our model lies. 


In Section 5, we give set and relational interpretations for the terms of our 
calculus. As usual in categorical models, terms are interpreted as natural trans- 
formations from interpretations of their term contexts to interpretations of their 
types, and these must cohere in what is essentially a fibred way. In Section 6.1 
we prove a scheme deriving free theorems that are consequences of natural- 
ity of polymorphic functions over nested types. This scheme is very general, 
and is parameterized over both the data type and the type of the polymorphic 
function at hand. It has, for example, analogues for nested types of Wadler’s 
map-rearrangement free theorems as instances. In Section 6.2 we prove that our 
model satisfies an Abstraction Theorem (Theorem 4), which we use to derive 
other parametricity results that go beyond naturality. We conclude in Section 7. 


Related Work There is a long line of work on categorical models of parametric- 
ity for System F; see, e.g., [3,6,8,9,12,13,20,26]. To our knowledge, all such models 
treat ADTs via their Church encodings, verifying in the just-constructed para- 
metric model that each ADT is isomorphic to its encoding. This paper draws 
on this rich tradition of categorical models of parametricity for System F, but 
modifies them to treat nested types (and thus ADTs) as primitive data types. 
The only other extensions we know of System F with primitive data types are 
those in [19,21,22,23,27]. Wadler [27] treats full System F, and sketches para- 
metricity for its extension with lists. Martin and Gibbons [21] outline a semantics 
for a grammar of primitive nested types similar to that in [17], but treat only 
polynomial nested types. Unfortunately, the model suggested in [21] is not en- 
tirely correct (see [17]), and parametricity is nowhere mentioned. Matthes [19] 
treats System F with non-polynomial ADTs and nested types, but focuses on 
expressivity of generalized Mendler iteration for them. He gives no semantics. 
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In [23], Pitts adds list ADTs to full System F with a term-level fixpoint 
primitive. Other ADTs are included in [22], but nested types are not express- 
ible in either syntax. Pitts constructs parametric models for his calculi based on 
operational, rather than categorical, semantics. A benefit of using operational se- 
mantics to build parametric models is that it avoids needing to work in a suitable 
metatheory to accommodate System F’s impredicativity. It is well-known that 
there are no set-based parametric models of System F [25], so parametric models 
for it and its extensions are often constructed in a syntactic metatheory such as 
the impredicative Calculus of Inductive Constructions (iCIC). By adding primi- 
tive nested types to a Hindley-Milner-style calculus and working in a categorical 
setting we side-step such metatheoretic distractions. It is important to note that 
different consequences of parametricity are available in syntactic and semantic 
metatheories. Consequences of parametricity are possible for both closed and 
open System F terms in a syntactic metatheory — although not all that can be 
formulated can be always proved; see, e.g., the end of Section 7 of [4]. By con- 
trast, in a categorical metatheory consequences of parametricity are expressible 
only for closed terms. For this reason, validating the standard consequences of 
parametricity for closed terms is — going all the way back to Reynolds [24] — 
all that is required for a model of parametricity to be considered good. 

Atkey [2] treats parametricity for arbitrary higher kinds, constructing a para- 
metric model for System F,, within iCIC, rather than in a semantic category. 
His construction is in some ways similar to ours, but he represents (now higher- 
kinded) data types using Church encodings rather than as primitives. Moreover, 
the fmap functions associated to Atkey’s functors must be given, presumably by 
the programmer, together with their underlying type constructors. This absolves 
him of imposing cocontinuity conditions on his model to ensure that fixpoints of 
his functors exist, but, unfortunately, he does not indicate which type construc- 
tors support fmap functions. We suspect explicitly spelling out which types can 
be interpreted as strictly positive functors would result in a full higher-kinded 
extension of a calculus akin to that presented here. 


2 The Calculus 
2.1 Types 


For each k > 0, we assume countable sets T* of type constructor variables of arity 
k (i.e., of kind * > ... > x > x, with k arrows and k +1 xs in this sequence) and 
F* of functorial variables of arity k, all mutually disjoint. The sets of all type 
constructor variables and functorial variables are T = U,s9 T* and F = Uzso FF, 
respectively, and a type variable is any element of TUF. We use lower case Greek 
letters for type variables, writing ¢* to indicate that ¢ € T* UF*, and omitting 
the arity indicator k when convenient. Letters from the beginning of the alphabet 
denote type variables of arity 0, i.e., elements of T? U F°. We write ¢ for either a 
set {61,...,¢n} of type constructor variables or a set of functorial variables when 
the cardinality n of the set is unimportant or clear from context. If V is a set 
of type variables we write V, ġ for V Ud when V N ¢ = 0. We omit the vector 
notation for a singleton set, thus writing ¢, instead of ¢, for {¢}. 
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If I is a finite subset of T, @ is a finite subset of F, @ is a finite subset of F° 
disjoint from ®, and ¢* € F*\ 8, then the set F of well-formed types is given in 
Definition 1. The notation there entails that type application @F\...F; is allowed 
only when ¢ is a type variable of arity k, or @ is a subexpression of the form 
pb” .a,...a,.F’. Moreover, if ¢ has arity k then ¢ must be applied to exactly 
k arguments. Accordingly, an overbar indicates a sequence of subexpressions 
whose length matches the arity of the type applied to it. Requiring that types 
are always in such n-long normal form avoids having to consider {-conversion of 
types. In a subexpression Nat®™ F G, the Nat operator binds all occurrences of the 
variables in @ in F and G; intuitively, Nat™ F G represents the type of a natural 
transformation in @ from the functor F to the functor G. In a subexpression 
ud”.\a.F, the u operator binds all occurrences of the variable ¢, and the À 
operator binds all occurrences of the variables in @, in the body F. 

A type constructor, or non-functorial, context is a finite set I” of type con- 
structor variables, and a functorial contextis a finite set & of functorial variables. 
In Definition 1, a judgment of the form Z; F F indicates that the type F is 
intended to be functorial in the variables in @ but not necessarily in those in I’. 


Definition 1. The formation rules for the set F of (well-formed) types are 


T;@+ F T;@F}G T;O6FF r; G 


T;@FO F;hF1 T;@F F+G T;@FFxG 
T; H F T; AG eruð T;5F F 
T:0 F Nat FG T; 8H F 
I; a, t + F T;bFG 


T; 8H (ugt. \a?. F) G 


We write + F for @;@ + F. Definition 1 ensures that the expected weakening 
rules for well-formed types hold (but weakening does not change the contexts 
in which types can be formed). If r;Ø + F and I’; + G, then our rules allow 
formation of T; Ø + Nat? F G, which represents the arrow type IT F F > G in 
our calculus. The type I’; Nat® 1 F represents the V-type IT; Ø + Va.F. Some 
System F types, such as Va. (a + a) > a, are not representable in our calculus. 

Since the body F of a type (u@.\a@.F)G can only be functorial in @ and the 
variables in @, the representation of Lista as the ADT wG.1+ a x 8 cannot be 
functorial in a. By contrast, if List a is represented as the nested type (wé.A8. 1+ 
8x8) a then we can choose a to be a functorial variable or not when forming the 
type. This observation holds for other ADTs as well; for example, if Treeay = 
pB.atBxyx B, then a,y;0b Tree ay is well-formed, but 0; a, y H Tree ay is 
not. It also applies to some non-ADT types, such as GRose da = up.1+a x ob, 
in which ¢ and a must both be non-functorial variables. It is in fact possible 
to allow “extra” O-ary functorial variables in the body of p-types (functorial 
variables of higher arity are the real problem). This would allow the first-order 
representations of ADTs to be functorial, but doing so requires some changes to 
the formation rule for u-types, as well as the delicate threading of some additional 
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conditions throughout our model construction. But since we can always use an 
ADT’s (semantically equivalent) second-order representation when functoriality 
is needed, disallowing such “extra” variables does not negatively impact the 
expressivity of our calculus. We therefore pursue the simpler syntax here. 
Definition 1 allows well-formed types to be functorial in no variables. Functo- 
rial variables can also be demoted to non-functorial status: if F| :== 7] is the 
textual replacement of ¢ in F, then I, ~*;®+ F|! :== y] is derivable when- 
ever I’; P, 6* + F is. In addition to textual replacement, we also have substitution 
for types. If [;@F F is a type, if and & contain only type variables of arity 0, 
and if k = 0 for every occurrence of ¢* bound by p in F, then we say that F is 
first-order; otherwise we say that F is second-order. Substitution for first-order 
types is the usual capture-avoiding textual substitution. We write Fla := o] 
for the result of substituting o for a in F, and Flay := Fi,...,a% := Fx], or 
F|a := F] when convenient, for Flay := Fi ][a2 := F>, ..., ap := Fp]. The opera- 
tion (-)[¢ :=a F] of second-order type substitution along @ is defined by induction 
on types exactly as expected. The only interesting clause is that for type appli- 
cation, which defines (G)[¢ :=a F] to be Fla := G[¢ :=a F] if y = ¢ and 
G[¢ :=x F] otherwise. Of course, (-)[¢° :=g F] coincides with first-order substi- 
tution. We omit @ when convenient, but note that it is not correct to substitute 
along non-functorial variables. It is not hard to see that if [’;6,¢6* + H and 
T; p,a F with |a| =k, then T; H H[¢ :=a F]. Similarly, if T, t; H H, and 
if T:Y,a H F with |a| = k and ENY = Ó, then T, Y ; G+ H[d =x Fh == Y]. 


2.2 Terms 


Assume an infinite set V of term variables disjoint from T and F. If I’ is a type 
constructor context and @ is a functorial context, then a term context for I and 
@ is a finite set of bindings of the form x : F, where x € V and I; F F. We 
adopt the above conventions for disjoint unions and vectors in term contexts. If A 
is a term context for I’ and ® then the formation rules for the set of well-formed 
terms over A are given in Figure 1. An expression Law.t binds all occurrences of 
the type variables in @ in the types of x and t, as well as all occurrences of x in t. 
In the rule for tgs there is one functorial expression in K for every variable in @. 


In the rule for ma paS there is one functorial expression in F and one functorial 
expression in G for each variable in ¢. Moreover, for each $* in ¢ the number of 
variables in 8 in the judgments for functorial expresssions in F and G is k. In 
the rules for ing and fold}, the variables in 8 are fresh with respect to H, and 
there is one ( for every a. Substitution for terms is the obvious extension of the 
usual capture-avoiding textual substitution, and weakening is respected. 


The “extra” functorial variables in 7 in the rules for map% l (i.e., those 
variables not affected by the substitution of ¢) allow us to map polymorphic 
functions over nested types. Suppose, for example, that we want to map the 
polymorphic function flatten : Nat (PTree 8) (List B) over lists. The map term 
for this is typeable as follows: 


Ta,y List a DI;y A PTree + T;yb Listy 
T;0| ØH map} cree Trt ; Nat? (Nat? (P Tree y) (List y)) (Nat? (List (PTree y)) (List (List y))) 


ist a 
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P;O-F P;O|AKt:0 TT; F 
T;@|A,c: Fra: F T;6|AtLlpt: FP T;@|ArT:1 
T;@|Ats:F [;®|Att:G 


[;6|AtrinLs:F+G ;6|AtrinRt:F+G 
T;GF FG T;@|Art:F+G T;@|A,c: FFI: K ;6|A,y:Gtr:k 
T;®| AF casetof {x= l; y> r}: K 
[;@|Ats:F T;@|Art:G F;G|Art:FxG ;6|Att:FxG 
TPAR (s,t):FxG [;®|Atmt:F [;®| At mt:G 
T;at+F T;atG T;a|A,c:FtrG 
T;0| At Lex.t : Nat FG 


r; K T;0| AF t: Nat" FG T;8| At s: Fla:= K] 
T;@| AF tgs: Gla:= K] 


[36,74 H T; B, 7- F T;B,7- G 
T;0 | ØH mapty© : Nat” (Nat®7 F G) (Nat? H[¢ :=; F] H[¢ =, G)) 


T;ġ,aH H 
1; 0|Ob inz : Nat? H[ọ :=z (ud.X@-H) Alla := B] (ud.\a-H)B 


T;ġ,aH H Tr;BF F 
T;0|0 F fold : Nat? (Nat? H[ġ :=5 F][a := 8] F) (Nat? (no.a. H)B F) 


Fig. 1. Well-formed terms 


However, this derivation would not possible without the “extra” variable y. 


Our calculus is expressive enough to define, e.g., a function reversePTree : 
Nat“ (PTree a)(PTree a) that reverses the order of the leaves in a perfect tree. 
It maps the perfect tree ((1, 2), (3,4)) to ((4,3), (2,1)). Unfortunately, we can- 
not define recursive functions — such as a concatenation function for perfect 
trees or a zip function for bushes — that take as inputs a nested type and an 
argument of another type, both of which are parameterized over the same vari- 
able. The fundamental issue is that recursion is expressible only via fold, which 
produces natural transformations in some variables @ from p-types to other 
functors F. The restrictions on Nat-types entail that F cannot itself be a Nat- 
type containing @, so, e.g., Nat® (P Tree a) (Nat? (PTree «)(PTree (a x a))) is not 
well-typed. Uncurrying gives Nat“ (PTree a x PTree a)(PTree (a x a)), which is 
well-typed, but fold cannot produce a term of this type because PTree ax PTree a 
is not a p-type. Our calculus can, however, express types of recursive functions 
that take multiple nested types as arguments, provided they are parameterized 
over disjoint sets of type variables and the return type of the function is pa- 
rameterized over only the variables occurring in the type of its final argument. 
Even for ADTs there is a difference between which folds over them we can type 
when they are viewed as ADTs (i.e., as fixpoints of first-order functors) versus 
as proper nested types (i.e., as fixpoints of higher-order functors). This is be- 
cause, in the return type of fold, the arguments of the p-type must be variables 
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bound by Nat. For ADTs, the p-type takes no arguments, making it possible 
to write recursive functions, such as a concatenation function for lists of type 
a; H Nat? (48.1+ax p) (Nat (u8.1+a x p) (uB.1+ax 8)). This is not possible 
for nested types — even when they are semantically equivalent to ADTs. 

Interestingly, even some recursive functions of a single proper nested type — 
e.g., a reverse function for bushes that is a true involution — cannot be expressed 
as folds because the algebra arguments needed to define them are again recursive 
functions with types of the same problematic form as the type of, e.g., a zip 
function for perfect trees. Expressivity of folds for nested types has long been 
a vexing issue, and this is naturally inherited by our calculus. Adding more 
expressive recursion combinators — e.g., generalized folds or Mendler iterators 
— could help, but since this is orthogonal to the issue of parametricity in the 
presence of primitive nested types we do not consider it further here. 


3 Interpreting Types 


We denote the category of sets and functions by Set. The category Rel has as 
objects triples (A, B, R), where R is a relation between sets A and B. It has 
as morphisms from (A, B, R) to (A’, B', R') pairs (f : A > A’,g: B > B’) 
of morphisms in Set such that (fa,gb) € R' if (a,b) € R. We may write R : 
Rel(A, B) for (A, B, R). If R : Rel(A, B) we write mı R and m2R for the domain A 
of R and the codomain B of R, respectively, and assume 7 and mə are surjective. 
We write Eq, = (A, A, {(x,x) | x € A}) for the equality relation on the set A. 
The key idea underlying Reynolds’ parametricity is to give each type F(a) 
with one free variable a a set interpretation Fo taking sets to sets and a re- 
lational interpretation F, taking relations R : Rel(A,B) to relations F\(R) : 
Rel(Fo(A), Fo(B)), and to interpret each term t(a,x) : F(a) with one free term 
variable x : G(a) as a map to associating to each set A a function to(A) : 
Go(A) > Fo(A). These interpretations are given inductively on the structures 
of F and t in such a way that they imply two fundamental theorems. The 
first is an Identity Extension Lemma, which states that F\(Eq,) = Eq my (A): 
and is the essential property that makes a model relationally parametric rather 
than just induced by a logical relation. The second is an Abstraction Theorem, 
which states that, for any R : Rel(A, B), (to(A),to(B)) is a morphism in Rel 
from (Go(A), Go(B), Gi(R)) to (Fo(A), Fo(B), Fi(R)). The Identity Extension 
Lemma is similar to the Abstraction Theorem except that it holds for all el- 
ements of a type’s interpretation, not just those that interpret terms. Similar 
theorems are required for types and terms with any number of free variables. 
The key to proving our Identity Extension Lemma is a familiar “cutting 
down” of the interpretations of universally quantified types to include only the 
“parametric” elements; the relevant types here are Nat types. This requires that 
the set interpretations of types (Section 3.1) are defined simultaneously with 
their relational interpretations (Section 3.2). While set interpretations are rel- 
atively straightforward, relational interpretations are less so because of the co- 
continuity conditions needed to know they are well-defined. We develop these 
conditions in Sections 3.1 and 3.2. This separates our set and relational interpre- 
tations in space, but has no other impact on the mutually inductive definitions. 
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Ir; + ofp =0 
[r;e r ap =1 
[730+ Nat® F GJ°*p = {n : AA. [r;a H FP oja = Al > AA. [r;a H aJt ola = A] 
| VA, B : Set.YR : Rel(A, B). 
(nane) : a b F] Eq la := R] > [r;a H G]*Eq,[a = R]} 
[P;+ oF] = (09) [POF FIS*p 
[S F +G] "p = r; B F] p+ r; f+ Gp 
[SH F x GP"p = [r; fb F] "p x [P; f+ G] "p 
[P; OF (uo.\a.H)G]" p = (UTE p); 2 F Gp 
where TRS F = AA. [I; ¢,@ H AH] ple := Fla = A] 
and Tip = AA[D; ¢,ab Hid [ob := nfa := ida] 


Fig. 2. Set interpretation 


3.1 Interpreting Types as Sets 


We interpret types in our calculus as w-cocontinuous functors on locally finitely 
presentable categories [1]. Since functor categories of locally finitely presentable 
categories are again locally finitely presentable, this ensures that the fixpoints 
interpreting p-types in Set and Rel exist, and thus that both the set and rela- 
tional interpretations of all of the types in Definition 1 are well-defined [17]. To 
bootstrap this process, we interpret type variables as w-cocontinuous functors. 
If C and D are locally finitely presentable categories, we write [C,D] for the 
category of w-cocontinuous functors from C to D. 

A set environment maps each type variable in T* U F* to an element of 
[Set*, Set]. A morphism f : p > p' for set environments p and p' with p|y = p'|r 
maps each type constructor variable w” € T to the identity natural transfor- 
mation on pY” = p'W* and each functorial variable ¢* € F to a natural trans- 
formation from the k-ary functor pġ” on Set to the k-ary functor p’d* on Set. 
Composition of morphisms on set environments is componentwise, with the iden- 
tity morphism mapping each one to itself. This gives a category of set environ- 
ments and morphisms between them, denoted SetEnv. We identify a functor in 
[Set®, Set] with its value on *, and consider a set environment to map a type 
variable of arity 0 to a set. If @ = {ay,...,a,} and A = {Aj,..., Ak}, then we 
write pla := A] for the set environment p’ such that p'a; = A; for i = 1,...,k 
and p'a = pa if a ¢ {a1,..., ax}. If p € SetEnv we write Eq, for the relation en- 
vironment (see Section 3) such that Eq,v = Eq,, for every type variable v. The 
set interpretation [-]5*t : F — [SetEnv, Set] is defined in Figure 2. The relational 
interpretations in the second clause of Figure 2 are given in full in Figure 3. 

If p € SetEnv and} F we write |H F]S* for [H F]S*p since the environment 
is immaterial. The third clause of Figure 2 does indeed define a set: local finite 
presentability of Set and w-cocontinuity of |I; œ- F]5*p ensure that the set of 
natural transformations {n : [[;a@- F]>*p > [[;a+ G]S*p} (which contains 
[0+ Nat® F G]S*p) is a subset of { (r;a H G]S* pla := $]) (rat FI pla:=S)) 
| S= (S1,...,Sjq)), and S; is a finite set for i = Iysaa There are count- 
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ably many tuples S, each giving a morphism from [I’;a@+ F]**p[a := 5] to 
[r;a A G] toja := S], and only Set-many such morphisms since Set is locally 
small. In addition, |I; Ø + Nat°F G]5* is w-cocontinuous since it is constant on 
w-directed sets. Interpretations of Nat types ensure that [+ F + G]5* and 
[I + Va.F]S* are as expected in parametric models. 

To make sense of the last clause in Figure 2, we need to know that, for each 
p € SetEnv, T p is an w-cocontinuous endofunctor on [Set” , Set], and thus ad- 
mits a fixpoint. Since Tr, is defined in terms of |I; ¢,a@ + H]5*, interpretations 
of types must be such functors, which entails that the actions of set interpre- 
tations of types on objects and on morphisms in SetEnv are intertwined. We 
know from [17] that, for every T;@ H G, [[;a@+ G]S* is actually in [Set”, Set] 
where k = |@|, so that, for each [I°; ¢*,a@+ H]S*, the corresponding operator 
T$% can be extended to a functor from SetEnv to [[Set”, Set], [Set", Set]]. The 
action of T?** on an object p € SetEnv is given by the higher-order functor TH, 


whose actions on objects (functors in [Set”, Set]) and morphisms between them 
are given in Figure 2. Its action on a morphism f : p > p’ is the higher-order 
natural transformation T3, : Tt + TPet, whose action on F : [Set", Set] is 


the natural transformation T3“, F : Tp, F > TP, F whose component at A 
is (TE F) = [23¢,a+ H]**f[¢ := idr][a := ida]. The next definition uses 
Toet to define the functorial action of set interpretation. 


Definition 2. The action of [[;®+ F]JS* on f : p —> p' in SetEnv is given by: 


Ir; G+ otf = ido 
[r:o H a]S*7 = id, 
— lI; 0 H Nat® FG aa = id [r0HNat® F G]S*p 
- [2:0 oF If : [r;8 H dF IS p > [2,64 SF] p! = (pr; SF Fp 
> (PP; EH F]S*o is defined by [T;8 E oF] f = (Soira O° 
(DIE; EE FISetf = (p'¢)[L; G+ F]Setf o (FOVEA: This holds since 
po and p'ġ are functors and fd: pọ > pd is a natural transformation. 
— |L; H F +G]*f is defined by |T; P h F + G]S*f(ink x) = 
inL (|L; 8 h FI fx) and [T; P H F+G]sf(inR y) = inR ([r; 6+ Gs fy) 
— [P;O Fx Gf = [1; 8 H FS f x IF; 8 Gt 
— |r; + (no.a. H)G]* f : ID; G4 (ud.ra.H)G]s*p > 
[D3 DF (ud.ra.H Gp’ =(uTE IL; PF G] p > (wT Ee ILD; F GS! 
is defined by (uT RY) 8 H G]Setp’ o (wT RIT; pH Gt f= 
(up, LP; S + GJ tf o (uT) LT; P+ G]S*tp. This holds since uT and 
ple, are functors and ple : LTS => ple, is a natural transformation. 


3.2 Interpreting Types as Relations 


A k-ary relation transformer F is a triple (F!, F?, F*), where F!, F? : [Set", Set] 
and F* : [Rel*,Rel] are functors, if R; : Rel(A;, B;) for i = 1,...,k then F*R : 
Rel(F1 A, F?B), and if (a;, 8i) € Hompe(R;, $;) for i = 1,...,k, then F*(a, 8) = 
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(Fla, F? B). We define FR to be F*R and F(a, 8) to be F*(a, 8). The last clause 
above expands to: if (a,b) € R implies (awa, 3b) € S then (c,d) € F*R implies 
(Flac, F?6 d) € F*S. We identify a 0-ary relation transformer (A, B, R) with 
R : Rel(A, B), and write 7,F for Ft and m2F for F?. Below we extend these 
conventions to relation environments in the obvious ways. 

The category RTk of k-ary relation transformers is given by the follow- 
ing data: an object of RTk is a k-ary relation transformer; a morphism 6 : 
(G1, G?,G*) > (H+, H?, H*) in RT; is a pair of natural transformations (8t, 5”) 
where ôt : Gt > H+, 6? : G? — H? such that, for all R : Rel(A, B), if (x,y) € 
G*R then (52, dey) € H*R; and identity morphisms and composition are in- 
herited from the category of functors on Set. An endofunctor H on RT}, is 
a triple H = (H',H?,H*), where H! and H? are functors from [Set", Set] 
to [Set", Set]; H* is a functor from RT; to [Rel*,Rel]; for all R: Rel(A, B), 
m1 ((H*(6', 6”))%) = (H'6")q and m2((H*(5',6?))%) = (H?6?)q; the action of 
H on objects is given by H (F1, F?, F*) = (H'F', H?F?, H*(F"', F?, F*)); and 
the action of H on morphisms is given by H (5', 5?) = (H1+6', H?6?) for (61, 67) : 
(Ft, F?, F*) > (G1, G?, G*). Since applying an endofunctor H to k-ary relation 
transformers and morphisms between them must give k-ary relation transform- 
ers and morphisms between them, this definition implicitly requires the follow- 
ing three conditions to hold: i) H*(F!, F?, F*)R: Rel(H'!F1A, H?F?B) if R,: 
Rel(A;,Bi),..., Re : Rel(A,, By); ii) H*(F!, F?, F*) (a, 8) = (H' Fa, H? F? B) 
if (a1, 61) € Homrei(R1, $1), ---; (ak, Be) E Hompral Rk, Sk); and iii) if (6+, 67) : 
(F1, F?,F*) + (G',G?,G*) and R, : Rel(Aj, Bi),..., Rp : Rel(Ax, By), then 
((H161)za, (H76?)gy) € H*(G',G?,G*)R if (x,y) € H*(F', F?, F*)R. Note, 
however, that this last condition is automatically satisfied because it is implied 
by the third condition on functors on relation transformers. 

If H and K are endofunctors on RT;, then a natural transformation o : 
H — K is a pair o = (o1,07), where ot : H! > K! and o? : H? —> K? are 
natural transformations between endofunctors on [Set”, Set] and the component 
of o at F € RT; is given by of = (071,02). This definition entails that ot; is 
natural in F’ : (Set, Set], and, for every F, both (ob, )q and (02) are natural 
in A. Moreover, since the results of applying c to k-ary relation transformers 
must be morphisms of k-ary relation transformers, it implicitly requires that 
(or)g = ((0m)q, (O72)g) is a morphism in Rel for any k-tuple of relations 
R : Rel(A, B), i.e., that if (x,y) € H*FR, then ((o7:)q2, (022) gy) € K*FR. 

Critically, we can compute w-directed colimits in RT;,. Indeed, if D is an 
w-directed set then lim |p (Far F3 Ft) = (lim pa lim pF ar lim |p Fa). We 
define an endofunctor T = (T',T?,T*) on RT; to be w-cocontinuous if T and 
T? are w-cocontinuous endofunctors on [Set*, Set] and T* is an w-cocontinuous 
functor from RTk to [Rel*, Rel], i.e., is in [RTk, [Rel*, Rell]. Now, for any k, any 
A: Set, and any R : Rel(A, B), let K3¢ be the constantly A-valued functor from 
Set” to Set and KRÈ?! be the constantly R-valued functor from Rel” to Rel. Also 
let O denote the initial object of either Set or Rel, as appropriate. Observing 
that, for every k, K§* is initial in [Set”, Set], and K&*! is initial in [Rel*, Rel], 
we have that, for each k, Ko = (Kẹ, KS, KR") is initial in RTk. Thus, if 
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T = (T',T?,T*) : RT], —> RT, is an endofunctor on RT, we can define the 
relation transformer uT to be lim 2" Ko = (uT", pT? lim -p (T" Ko)*). If 
T : [RT,, RTk] then pT is a fixpoint for T, i.e., yT S T(puT). The isomorphism 
is given by (ini, ing) : T(uT) > uT and (iny',iny') : wT > T(uT) in RTh. 
The latter is always a morphism in RTk, but the former need not be if T is not 
w-cocontinuous. Since uT’s third component is the colimit in [Rel*, Rel] of third 
components of relation transformers, rather than a fixpoint of an endofunctor on 
[Rel*, Rel], there is an asymmetry between uT’s first two and third components. 
A relation environment maps each type variable in T*UF* to a k-ary relation 
transformer. A morphism f : p — p’ between relation environments p and p’ with 
plr = p'|r maps each w* € T to the identity morphism on py! = p'y* and each 
¢* € F to a morphism from the k-ary relation transformer pọ to the k-ary 
relation transformer p'o. Composition of morphisms on relation environments is 
componentwise, with the identity morphism mapping each to itself; this gives a 
category RelEnv of relation environments and their morphisms. We identify a 0- 
ary relation transformer with its codomain, and consider a relation environment 
to map a type variable of arity 0 to a relation. We write pla := R] for the 
relation environment p’ such that p'a; = R; for i = 1,...,k and p'a = pa if 
a Z {ay,...,ax}. If p € RelEnv we write mp and map for the set environments 
mapping each type variable ¢ to the functors (pġ)! and (p¢)?, respectively. 


For each k, an w-cocontinuous functor H : [RelEnv, RTk] is a triple H = 
(H', H?, H*), where H!, H? : [SetEnv, [Set”, Set]]; H* : [RelEnv, [Rel*, Rell]; for 
all R:Rel(A,B) and morphisms f in RelEnv, mı(H*f R) = H!(mıf) A and 
nə(H*f R) = H? (maf) B; the action of H on p in RelEnv is given by Hp = 
(H! (mip), H?(m2p), H* p); and the action of H on morphisms f : p > p’ in 
RelEnv is given by Hf = (H'(m/f), H?(72f)). The last two points above give: 
i) if Ri : Rel(A;, Bi), i=1,...,k, then H*p R: Rel(H1(m1p) A, H?(2p) B); ii) if 
(ai, Bi) € Homra (Ri, Si), i =1,...,k, then H*p (a, 8) = (H! (mp) a, H? (2p) 8); 
and iii) if f : p > p’ and R; : Rel(A;, B;), i = 1,...,k, then if (x,y) € H*pR 
then (H! (mı f) Ax, H? (məf) By) € H*p' R. 

Computation of w-directed colimits in RTk extends componentwise to colim- 
its in RelEnv. Similarly, w-cocontinuity for endofunctors on RT), extends to func- 
tors from RelEnv to RTk. Our relational interpretation [-]®*! : F — [RelEnv, Rel] 
is given in Figure 3. It ensures that [[ + F > G]®*! and [I H Va.F]®*' are as 
expected. As for set interpretations, |T; Ø + Nat F GJP" is w-cocontinuous be- 
cause it is constant on w-directed sets. If p € RelEnv we write [H FR! for 
[H F]®*'p. For the last clause in Figure 3 to be well-defined we need Typ to be 
an w-cocontinuous endofunctor on RT, so that it admits a fixpoint. Since Ty,p is 
defined in terms of |T; ¢*,a@+ H]®!, this means that relational interpretations 
of types must be w-cocontinuous functors from RelEnv to RTo, which in turn 
entails that the actions of relational interpretations of types on objects and on 
morphisms in RelEnv are intertwined. We know from [17] that, for every [;a@- F, 
[l;a@+ FIP! is actually in [Rel*, Rel] where k = |a|. We first define the actions 
of each of these functors on morphisms between relation environments, and then 
argue that they are well-defined and have the required properties. To do this, we 


Parametricity for Primitive Nested Types 337 


[r;e + o]*"p =0 
[ge ap =1 
[0:0 Nat? FG]*p = {n : AR. [L304 F] ofa := R] > AR. LP; a+ GJ" ofa = RI} 
={(t,t’) € [L;0b Nat® FG)" (mp) x LP; 0 H Nat® F Gp (ap) | 
VRı : Rel(Ai, Bi)... Re : Rel(Ax, Br). 
(ta tg) € (ab G]™ ofa = R)I eR] 
Ir: 8 H oF]°"p = (06)[P; 6 F Fp 
[L;A F +G] = [r;e H F] + r; S H GJ" 
IL; F x Gp = [236+ FIR x [r; 8 H Gp 
[P;Gb (ud.ra.H)G]*™"'p = (KTu p); F Gp 
where Tr, = (Tir, ps Larap TH) 
and Ty, F = AR.[L; ¢,@+ A] pfo := Fifa c= R] 
and TÈ, 6 = ART; ¢,a+ H]™' id ló := dla := idR] 


Fig. 3. Relational interpretation 


extend Ty to a functor from RelEnv to [[Rel*, Rel], [Rel”, Rel]. Its action on an 
object p € RelEnv is given by the higher-order functor Ty, whose actions on ob- 
jects and morphisms are given in Figure 3. Its action on a morphism f : p > p' 
is the higher-order natural transformation Ty,¢ : THp > Ty,» whose action 
on any F : [Rel*, Rel] is the natural transformation Ty, f F : Tgp F > Typ F 
whose component at R is (Ty,s F)q = L; ¢,a+ HJP” f| := idr][a := idp]. 

Using Ty, we can define the functorial action of relational interpretation. 
The action [[;@+ FIR f of [r; H FIR! on f : p — p in RelEnv is given as 
in Definition 2, except that all interpretations are relational interpretations and 
all occurrences of T Tir are replaced by Ty, ,f. For this definition and Figure 3 to 
be well-defined we acd that, for every H, Ty, F is a relation transformer, and 
Tu, F : THp F > Ty,» F is a morphism of relation transformers, whenever F 
is a relation transformer and f : p > p’ is in RelEnv. This is immediate from 


[1:8 H F] = (r; 6+ FPS, LP; + FS, [;@ + FIR!) € [RelEnv, RT] (1) 


The proof is a straightforward induction on the structure of F, using an appro- 
priate result from [17] to deduce w-cocontinuity of [[;@+ F] in each case. 

We can prove by simultaneous induction that set and relational interpreta- 
tions of types respect demotion of functorial variables to non-functorial ones and, 
for D € {Set, Rel}, [;®+ Gla := K]]Pp = [1;%,a+ G]P pla := [r; G+ Kp), 
and IP; + Gla := K]? f = [7;%,a+ GIPP fla := [F; 6+ K]f], and [7;6 + 

F[é := H]]Pp = [1; 4, ¢+ F]P ofo := AA. irom + H] pla := Al], and, finally, 
Ir; S H + Fjo := Hof = [T;8,¢ġ H FIP flo := AA. [3 8, a H A]? fla := idal]. 


4 The Identity Extension Lemma 


In most treatments of parametricity, equality relations are taken as given, either 
directly as diagonal relations or perhaps via reflexive graphs. By contrast, we 
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give a categorical definition of graph relations for natural transformations and 
construct equality relations as particular such relations. Our definitions specialize 
to the usual ones for morphisms between sets and equality relations on sets. 

The standard definition (x,y) € (f) iff fa = y of the graph (f) of a morphism 
f: A—> B in Set naturally generalizes to associate to each natural transforma- 
tion between k-ary functors on Set a k-ary relation transformer. Indeed, if F, G : 
Set” — Set and a: F > G is a natural transformation, then the functor (a)* : 
Rel” — Rel is defined as follows. Given R3 : Rel(A;, B1), ..., Ry : Rel( Ak, By), let 
tr, : Ri > A; x Bj, for i =1,...,k, be the inclusion of R; as a subset of A; x Bi, 
let hayqm be the unique morphism making the left diagram below commute, and 
let hy: FR —- FA x GB be hīzg ° Fir. Further, let aR be the subobject 
iuh which hg is factorized by the mono-epi factorization system in Set, as 
in the right dagai below. Then aR : Rel(FA, GB) by construction, so the 
action of (a)* on objects can be given by (a)*(A, B, R) = (FA, GB, taga ^ R). 
Its action on morphisms is given by (a)*(8, 6’) = (FB, GB). 


AE 5 = 
FR ——® ;, FAx GB 
T1 \PAxB T2 N 
+ 
x 


Lemma 1. If F,G: [Set", Set], and if a: F > G is a natural transformation, 
then the graph relation transformer for a defined by (a) = (F, G, (a)*) is in RT}. 


The action of a graph relation transformer on a graph relation can be computed 
explicitly: if a : F + G is a morphism in [Set”, Set] and fı : Ay > Bi,..., fr : 
Ay > By, then (a)*(f) = (Gf o ap = (ago Ff). 

To prove the IEL we also need to know that equality relation transformers 
preserve equality relations. The equality relation transformer on F : [Set", Set] 
is Eqp = (idp) = (F,F, (idp)*). The above definition then gives that, for all 
A: Set, EqpEq, = (idr)*(idq) = (Fidqzo (idr)qz) = (idpq 0 idpq) = (idpq) = 
Eqa. In addition, if p,p' E€ SetEnv and f : p > p’, then the graph relation 
environment (f) is defined pointwise by (f)¢ = (fd) for every ¢. This entails 
that 7(f) = p and m2(f) = p'. The equality relation environment Eq, is defined 
to be (idp). Our TEL is thus: 


Theorem 1 (IEL). If p € SetEnv, then |I; P H FJ]R'Eq, = Equr;ar rysep- 


The IEL’s highly non-trivial proof is by induction on the structure of F. Only 
the Nat, application, and fixpoint cases are non-routine. The latter two explic- 
itly calculate actions of graph relation transformers as above. The fixpoint case 
also uses that, for every n € N, the following intermediate results can be proved 
by simultaneous induction with Theorem 1: for any H, p, A, and subformula J 
of H, both Th eq, Ko Eqa = (Eqerse y» xo) *Eqa and [I;6,¢,a+ J]R'Eq,[¢ := 


Th eq, Kollo := Eqa] = [13 2, ġ,@ F J] Eq lọ := Eqcrset j» xolla = Eqa] hold. 
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T;8| A,x: FF z: Fp 
T;0| AF Laat: Nat? F G]Pp 
T;6| AF tgs: Gla:= KJ]? p 


T\A\+1 

curry([;@|A,«: F F t: GIP oja =]]) 

evalo (Ad. ({I;0| A F t: Nat® F G]? p d) 
[I| AF s: Fla:= K]]’ p 


[T;S-K]P p’ 


T;S| AF Lrt: F]JPp = ‘re FIP p o|r; | Att: 0]?p, where 
6 


lIr: Fp is the unique morphism from 0 
to [[;®+ F]Pp 
_ [Per A]? 
=e , 


FT: ap 


where rer alee 


is the unique morphism from [I’;@+ AJP» to 1 
[P;4| At s: F]?p x [P;4| Att: Gp 
mio [rS] Att: Fx Gp» 
m20 [l;®|AKt: Fx G]Pp 
evalo (curry [[°;@| A,x: FEL: K]Pp, 

W;8|A,y:GFr: KPa, 
[r;@| Att: F+G]°~) 
TV; 6|AtinLs:F+G]?p inL off; | At s: F]Pp 
T;®| AF inRt:F+G]Pp inR off;@| AF t: G]?p 
T;0|0 mapiy@ : Nat? (Nat? TF G) = AdŅC. [1; 9,7 HP id, aló = AB.ngol 
(Nat? H| =z F] H(G =; G))IPe 
T;0|O ing : Nat? H|ọ := (uo.àa.H Bla = 8] = àd. inry | where X is Set when 


A 
At (s,t): F x G]°p 
T;®|At mt: Fy? p 
Atk mot: G]°p 
AF casetof {x > l; y> r} : K]°p 


(1b.X@. 1)? p D = Set and not present when D = Rel 
T;Ø|0 F fold : Nat? (Nat? H[é :=> F][a := 8] F) = Ad. fold x 
F ay P 
(Nat? (uo.A@.H)B F)]P p where X is as above 


Fig. 4. Term semantics 


The case of the proof when F and J are both p-types makes clear that if func- 
torial variables of arity greater than 0 were allowed to appear in the bodies of 
p-types, then the IEL would fail. 

With the IEL in hand we can prove a Graph Lemma for our setting: 


Lemma 2. If p,p' € SetEnv and f : p > p' then 
(IGF FIA) = [r8 H FRNA) 


5 Interpreting Terms 


If A = qzi : Fi, ..., En : Fn is a term context for I and ®, define [[;+ A]? = 
[1;8 H F]P x... x |I ;P H F,]°, where D is Set or Rel as appropriate. Then 
every well-formed term has a set (resp., relational) interpretation as a natural 
transformation from the set (resp., relational) interpretation of its term context 
to that of its type. These interpretations, given in Figure 4, respect weakening, 
so that [[';6| A,x: FE t:G]Pp = ([r;6| AF t: G]Pp)ora, where p € SetEnv 
or p € RelEnv, and zy is the projection [[;®+ A,x : FJ]? > Ir; 8 +H AJP. 

The return type for the semantic fold is [IT; 8 + F]?p[@ := B]. This interpre- 
tation gives [°;0| Ab Az.t: F > G]Pp = curry([;0|A,2: F F t: Gp) and 
[P;0| Ab st: G]>p = eval o (1; 0| AF s: F > G)p,[7;0| AF t: Fp), so 
it specializes to the standard interpretations for System F terms. If t is closed, 
ie., if 0:0 |Ø Ft: F, then we write [H t: F]P instead of [0;0 | ØF t: FIP. 
In addition, term interpretation respects substitution for both functorial and 
non-functorial type variables, as well as term substitution. Direct calculation 
reveals that interpretations of terms also satisfy [1;® | At (Lax.t)gs]P? = 
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[l;% | AF tla:= K][x := s]]>. Term extensionality for both types and terms — 
ie., [TOF (Laz.t)aT FP = [1; F t: F]JP and [POP (Lasx.t)ax : F]JP = 
|L; 2 F t: F]P — follow (when both sides of these equations are defined). 


6 Free Theorems for Nested Types 


6.1 Consequences of Naturality 


Define, for T;@ A F, the term idp to be T; |0 H Laz.x : Nat? F F and, for terms 
T;0| AFH t: Nat°FG and T;0| AF s: Nat°G H, the composition sot of t and s 
to be T;0| AF Laz.saltar) : Nat“ F H. Then [1;0| ØF idp : Nat°F F]’*p* = 
id )Z [rat r] for any set environment p and |1; 0| AF sot : Nat°F H]S* 
=[l;0| At s : Nat°G H]Sto] r; 0| Att: Nat*F G]S*. Also, terms of Nat type 
behave as natural transformations with respect to their source and target types: 


Theorem 2. If ';@|At s:Nat®7FG andI;0|At t: Nat’K H, then 
[P;0| Ab ((mapi"")g #) 0 (Lyz.8% 2) : Nat” F[a = K] Gla = Al] 
= [I;0| Ab (Lyz.87q7 52) 0 ((mapk ” )g T) : Nat’F[a:= K] Gla:= Als 


Theorem 2 gives rise to an entire family of free theorems that are consequences of 
naturality, and thus do not require the full power of parametricity. In particular, 
we can prove that the interpretation of every mapy is a functor, and that map 
is itself a higher-order functor. For example, the former property can be stated 


as: if r;a, yH H,;0|Atg:Nat?FG, and T;0| AF f: Nat?G K, then 


[P;0| Ab (mapg” )g (fog) : Nat Ho = F] Hla = KIS 
= [T;0| AF (mapo* Jo Fo (map? Jog : Na H [a = F] Hla = KY 


We can also prove the expected properties of map, in, and fold, and their inter- 
pretations, e.g., uniqueness and the universal property of the interpretation of 
fold, and the interpretation of in is an isomorphism. 


6.2 The Abstraction Theorem 


To get consequences of parametricity that are not merely consequences of nat- 
urality, we prove an Abstraction Theorem (Theorem 4). As usual for such the- 
orems, we prove a more general result (Theorem 3) for open terms, and recover 
our Abstraction Theorem as its special case for closed terms of closed type. 


Theorem 3. Every well-formed term [;® | AF t: F induces a natural trans- 
formation from |I; 8 H A] to [L;@+ F], i.e., a triple of natural transformations 
([L;8 | Att: F]S*, (T; | Att: F]JS*, [P36 | AF t: FJR’), where, for D € 
{Set, Rel}, and for p € SetEnv or p € RelEnv as appropriate, [[';® | AF t: F]P : 
I; 8A AJP > [LP; Gt FIP has component [[';% | AF t: F]?p: Ir; + A]Pp 
— [[;@F F]Pp at p. Moreover, for all p € RelEnv, we have [[';® | AF t: F]R"p 
= (|T; | AF t: F]S*(mp), [736 | AF t: FIS*(r2p)). 
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The proof is by induction on t. It requires showing that set and relational inter- 
pretations of term judgments are natural transformations, and that all set in- 
terpretations of terms of Nat-types satisfy the appropriate equality preservation 
conditions from Figure 2. For the interesting cases of abstraction, application, 
map, in, and fold terms, propagating the naturality conditions is somewhat in- 
volved; the latter two especially require some delicate diagram chasing. That it 
is possible provides strong evidence that our development is sensible, natural, 
and at an appropriate level of abstraction. 

Using Theorem 3 we can prove that our calculus admits no terms with 
the type Nat°1a of the polymorphic bottom, and every closed term g of type 
Nat“a a denotes the polymorphic identity function. Moreover, an immediate con- 
sequence of Theorem 3 is that if p € RelEnv, and (a,b) € [';@+ AJP p, then 
(L; Att: FS(mp)a,[0;O| AF t: FSt(mp) b) € [P; B+ FJR". Its in- 
stantiation to closed terms of closed type gives 


Theorem 4 (Abstraction Theorem). ([} t: F]S*, f- t: FJS*) € fH FIR" 


Using Theorem 4 we can recover free theorems, such as that for the type of 
the standard filter function for lists, that go beyond mere naturality, and extend 
them to those nested types for which analogous functions can be defined. In 
particular, we can extend short cut fusion for lists [10] to nested types, thereby 
formally proving correctness of the categorically inspired theorem from [16]. As 
shown there, replacing 1 with any type 0; a+ C generalizes Theorem 5 to a free 
theorem whose conclusion is fold; B o G uH ing =G[0;at K]S* B. 
Theorem 5. If 0;¢,a+ F, @;at K, H : [Set, Set] + [Set, Set] is defined by 
Hfx = |b; p,a F F]S*[¢ := flla := a], and G = [¢;0|0+ g : Nat? (Nat® F (¢a)) 
(Nat 1 (ġa))]°t for some g, then for every B € H[0;at K]S* > J0; a H Ky]S* 
we have fold y B(G uH ing) = G[0;at K]S* B. 


7 Conclusion and Directions for Future Work 


We have constructed a parametric model for a calculus supporting primitive 
nested types, and used its Abstraction Theorem to derive free theorems for 
these types. This was not possible before [17] because these types were not pre- 
viously known to have well-defined interpretations in locally finitely presentable 
categories (here, Set and Rel), and, to our knowledge, no term calculus for them 
existed either. We naturally hope (some appropriate variant of) the construc- 
tion elaborated here will generalize to more advanced data types. For exam- 
ple, GADTs can be represented using left Kan extensions, and it was shown 
in [17] that adding a Lan construct to a calculus such as ours preserves the 
A-cocontinuity needed for the data types it defines to have well-defined inter- 
pretations in locally \-presentable categories. (Interestingly, A > Nı is required 
to interpret even common GADTs.) This suggests carrying out our model con- 
struction in locally A-presentable cartesian closed categories (Ipcccs) C whose 
categories of (abstract) relations, obtained by pullback as in [13], are also lpcccs 
and are appropriately fibred over C. Adding term-level fixpoints further requires 
our semantic categories not just to be locally A-presentable, but to support some 
kind of domain structure as well. 
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Abstract. We define and study a term calculus implementing higher- 
order node replication. It is used to specify two different (weak) evalua- 
tion strategies: call-by-name and fully lazy call-by-need, that are shown 
to be observationally equivalent by using type theoretical technical tools. 


1 Introduction 


Computation in the A-calculus is based on higher-order substitution, a com- 
plex operation being able to erase and copy terms during evaluation. Several 
formalisms have been proposed to model higher-order substitution, going from 
explicit substitutions (ES) [1] (see a survey in [41]) and labeled systems [15] to 
pointer graphs [60] or optimal sharing graphs [49]. The model of copying behind 
each of these formalisms is not the same. 

Indeed, suppose one wants to substitute all the free occurrences of some 
variable x in a term t by some term u. We can imagine at least four ways to 
do that. (1) A drastic solution is a one-shot substitution, called non-linear (or 
full) substitution, based on simultaneously replacing all the free occurrences of 
x in t by the whole term u. This notion is generally defined by induction on the 
structure of the term t. (2) A refined method substitutes one free occurrence of 
x at a time, the so-called linear (or partial) substitution. This notion is generally 
defined by induction on the number of free occurrences of x in the term t. An 
orthogonal approach can be taken by replicating one term-constructor of u at a 
time, instead of replicating u as a whole, called here node replication. This notion 
can be defined by induction on the structure of the term u, and also admits two 
versions: (3) non-linear, i.e. by simultaneously replacing all the occurrences of 
x in t, or (4) linear. The linear version of the node replication approach can be 
formally defined by combining (2) and (3). 

It is not surprising that different notions of substitution give rise to different 
evaluation strategies. Indeed, linear substitution is the common model in well- 
known abstract machines for call-by-name and call-by-value (see e.g. [3]), while 
(linear) node replication is used to implement fully lazy sharing [60]. However, 
node replication, originally introduced to implement optimal graph reduction in 
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a graphical formalism, has only been studied from a Curry-Howard perspective 
by means of a term language known as the atomic \-calculus [33]. 


The Atomic Lambda-Calculus. The Curry-Howard isomorphism uncovers 
a deep connection between logical systems and term calculi. It is then not sur- 
prising that different methods to implement substitution correspond to different 
ways to normalize logical proofs. Indeed, full substitution (1) can be explained 
in terms of natural deduction, while partial substitution (2) corresponds to cut 
elimination in Proof-Nets [2]. Replication of nodes (3)-(4) is based on a Curry- 
Howard interpretation of deep inference [32,33]. Indeed, the logical aspects of 
intuistionistic deep inference are captured by the atomic A-calculus [33], where 
copying of terms proceeds atomically, i.e. node by node, similar to the optimal 
graph reduction of Lamping [49]. 

The atomic A-calculus is based on explicit control of resources such as era- 
sure and duplication. Its operational semantics explicitly handles the struc- 
tural constructors of weakening and contraction, as in the calculus of resources 
Alxr [43,44]. As a result, comprehension of the meta-properties of the term- 
calculus, in a higher-level, and its application to concrete implementations of 
reduction strategies in programming languages, turn out to be quite difficult. In 
this paper, we take one step back, by studying the paradigm of node replication 
based on implicit, rather than explicit, weakening and contraction. This gives 
a new concise formulation of node replication which is simple enough to model 
different programming languages based on reduction strategies. 


Call-by-Name, Call-by- Value, Call-by-Need. Call-by-name is used to im- 
plement programming languages in which arguments of functions are first copied, 
then evaluated. This is frequently expensive, and may be improved by call-by- 
value, in which arguments are evaluated first, then consumed. The difference 
can be illustrated by the term t = A(II), where A = Av.ax and I = Az.z: 
call-by-name first duplicates the argument II, so that its evaluation is also du- 
plicated, while call-by-value first reduces II to (the value) I, so that duplications 
of the argument do not cause any duplicated evaluation. It is not always the best 
solution, though, because evaluating erasable arguments is useless. 
Call-by-need, instead, takes the best of call-by-name and call-by-value: as 
in call-by-name, erasable arguments are not evaluated at all, and as in call-by- 
value, reduction of arguments occurs at most once. Furthermore, call-by-need 
implements a demand-driven evaluation, in which erasable arguments are never 
needed (so they are not evaluated), and non-erasable arguments are evaluated 
only if needed. Technically, some sharing mechanism is necessary, for example by 
extending the A-calculus with explicit substitutions/let constructs [7]. Then 6- 
reduction is decomposed in at least two steps: one creating an explicit (pending) 
substitution, and the other ones (linearly) substituting values. Thus for exam- 
ple, (Ax.xx)(II) reduces to (xa)[x\II], and the substitution argument is thus 
evaluated in order to find a value before performing the linear substitution. 
Even when adopting this wise evaluation scheme, there are still some un- 
necessary copies of redexes: while only values (i.e. abstractions) are duplicated, 
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they may contain redexes as subterms, e.g. Az.z(II) whose subterm II is a 
redex. Duplication of such values might cause redex duplications in weak (i.e. 
when evaluation is forbidden inside abstractions) call-by-need. This happens in 
particular in the confluent variant of weak reduction in [52]. 


Full laziness. Alas, it is not possible to keep all values shared forever, typically 
when they potentially contribute to the creation of a future -reduction step. 
The key idea to gain in efficiency is then to keep the subterm II as a shared 
redex. Therefore, the (full) value \z.z(II) to be copied is split into two separate 
parts. The first one, called skeleton, contains the minimal information preserving 
the bound structure of the value, i.e. the linked structure between the binder 
and each of its (bound) variables. In our example, this is the term Az.zy, where 
y is a fresh variable. The second one is a multiset of maximal free expressions 
(MFE), representing all the shareable expressions (here only the term II). Only 
the skeleton is then copied, while the problematic redex II remains shared: 


(Av.ax)(Az.z(II)) > (xax)[a\dz.2(IT)] > ((Az.zy)x)[x\Az.zy][y\ II] 


When the subterm II is needed ahead, it is first reduced inside the ES, as it is 
usual in (standard) call-by-need, thus avoiding to compute the redex twice. This 
optimization is called fully lazy sharing and is due to Wadsworth [60]. 

In the confluent weak setting evoked earlier [52], the fully lazy optimization 
is even optimal in the sense of Lévy [51]. This means that the strategy reaches 
the weak normal form in the same number of -steps as the shortest possible 
weak reduction sequence in the usual A-calculus without sharing. Thus, fully lazy 
sharing turns out to be a decidable optimal strategy, in contrast to other weak 
evaluation strategies in the A-calculus without sharing, which are also optimal 
but not decidable [11]. 


Contributions. The first contribution of this paper is a term calculus im- 
plementing (full) node replication and internally encoding skeleton extraction 
(Sec. 2). We study some of its main operational properties: termination of the 
substitution calculus, confluence, and its relation with the \-calculus. 

Our second contribution is the use of the node replication paradigm to give 
an alternative specification of two evaluation strategies usually described by 
means of full or linear substitution: call-by-name (Sec. 4.1) and weak fully lazy 
reduction (Sec. 4.2), based on the key notion of skeleton. The former can be re- 
lated to (weak) head reduction, while the latter is a fully lazy version of (weak) 
call-by-need. In contrast to other implementations of fully lazy reduction rely- 
ing on (external) meta-level definitions, our implementation is based on formal 
operations internally defined over the term syntax of the calculus. 

Furthermore, while it is known that call-by-name and call-by-need specified 
by means of full/linear substitution are observationally equivalent [7], it was 
not clear at first whether the same property would hold in our case. Our third 
contribution is a proof of this result (Sec. 6) using semantical tools coming from 
proof theory -notably intersection types. This proof technique [42] considerably 
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simplifies other approaches [7,54] based on syntactical tools. Moreover, the use 
of intersection types has another important consequence: standard call-by-name 
and call-by-need turn out to be observationally equivalent to call-by-name and 
call-by-need with node replication, as well as to the more semantical notion of 
neededness (see [45]). 

Intersection types provide quantitative information about fully lazy evalu- 
ation so that a fourth contribution of this work is a measure based on type 
derivations which turns out to be an upper bound to the length of reduction 
sequences to normal forms in a fully lazy implementation. 

More generally, our work bridges the gap between the Curry-Howard theo- 
retical understanding of node replication and concrete implementations of fully 
lazy sharing. Related works are presented in the concluding Sec. 7. 


2 A Calculus for Node Replication 


We now present the syntax and operational semantics of the AR-calculus (R for 
Replication), as well as a notion of level playing a key role in the next sections. 


Syntax. Given a countably infinite set ¥ of variables x, y, z,..., we consider the 
following grammars. 


(Terms) trus= x | Axt | tu | t[æ\u] | tla\Ay.u] 

(Pure Terms)  p,g::= «| Aax.p| pq 

(Term Contexts) C := O| Aw.C| Ct| tC] Cla\t]| Cla\Ay-u] | tla\Cc]| tla\Ay-.C] 
(List Contexts) L :=O| L[x\ul | L[x\Ay-u] 


The set of terms (resp. pure terms) is denoted by Ar (resp. A). We write |t| 
for the size of t, i.e. for its number of constructors. We write I for the identity 
function Av.x2. The construction [x\u] is an explicit substitution (ES), and 
[x\Ay-u] an explicit distributor: the first one is used to copy arbitrary terms, 
while the second one is used specifically to duplicate abstractions. We write 
[x <u] to denote an explicit cut in general, which is either [a\u] or [a\u] when 
u is Ay.u’, typically to factorize some definitions and proofs where they behave 
similarly in both cases. When using the general notation t|x <u], we define 
x(<) = 1 if the term is an ES, and «(<) = 0 otherwise. 

We use two notions of contexts. Term contexts C extend those of the A- 
calculus to explicit cuts. List contexts L denote an arbitrary list of explicit cuts. 
They will be used to implement reduction at a distance in the operational se- 
mantics defined ahead. 

Free/bound variables of terms are defined as usual, notably fv(t|a <u) := 
fv(t)\{x} Ufv(u). These notions are extended to contexts as expected, in par- 
ticular fv(O) := Ø. The domain of a list context is given by dlc(Q) := ø 
and dlc(L|x < u]) := dlc(L) U {x}. a-conversion [13] is extended to AR-terms 
as expected and used to avoid capture of free variables. We write t{x\u} for 
the meta-level (capture-free) substitution simultaneously replacing all the free 
occurrences of the variable x in t by the term u. 
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The application of a context C to a term t, written C(t), replaces the hole 
of C by t. For instance, O(t) = t and (Av.0)(t) = Ax.t. This operation is not 
defined modulo a-conversion, so that capture of variables eventually happens. 
Thus, we also consider another kind of application of contexts to terms, denoted 
with double brackets, which is only defined if there is no capture of variables. 
For instance, (Ay.G)(«)) = Ay.a while (Av.0)((x)) is undefined. 


Operational semantics. ES may block some expected meaningful (i.e. non- 
structural) reductions. For instance, 6-reduction is blocked in (Az.t)[y\v]u be- 
cause an ES lies between the function and its argument. This kind of stuck 
redexes do not happen in graphical representations (e.g. [28]), but it is typical 
in the sequential structure of term syntaxes. 

There are at least two ways to handle this issue. The first one is based on 
structural/permutation rules, as in [33], where the substitution is first pushed out- 
side the application node, as (Azx.t)[y\v]u > ((Av.t)u)[y\v], so that S-reduction 
is finally unblocked. The second, less elementary, possibility is given by an oper- 
ational semantics at a distance [6,4], where the 6-rule can be fired by a rule like 
L(Aw.t)u > L(t[z\u]), L being an arbitrary list context. The distance paradigm is 
therefore used to gather meaningful and permutation rules in only one reduction 
step. In AR, we combine these two technical tools. First, we consider the following 
permutation rules, all of them are constrained by the condition x ¢ fv(t). 


Ax.uly dt] >r (Axv.u)[y <t] vla sult >r (vt)[a <u] 
tujz<au] r (tv)[z <u] tly dou[xz dul] Ox tly sulla < u] 


The reduction relation +, is defined as the closure of the rules +>, under all 
contexts. It does not hold any computational content, only a structural one that 
unblocks redexes by moving explicit cuts out. 

In order to highlight the computational content of node replication we com- 
bine distance and permutations within the \R-calculus, given by the closure of 
the following rules by all the contexts. 


DAL (ae app L(t{x\yz}[y\u][z\v]) where y and z are fresh 
tla\L(Ay.u)] aise L(t[x\Ay.z[z\u]]) where z is fresh 
ae u] Habs a pY) where u —+% L(p) and y ¢ fv(L) 


t{a\L¢ )] var L t{x\y}) 


Notice in the five rules above that the (meta-level) substitution is full (it is 
performed simultaneously on all free occurrences of the variable x), and the 
list context L is always pushed outside the term t. We will highlight in green 
such list contexts in the forthcoming examples to improve readability. Apart 
from rule dB used to fire G-reductions, there are four substitution rules used 
to copy abstractions, applications and variables, pushing outside all the cuts 
surrounding the node to be copied. Rule app copies one application node, while 
rule var copies one variable node. The case of abstractions is more involved as 
explained below. 
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The specificity in copying an abstraction Ay.u is due to the (binding) relation 
between Ay and all the free occurrences of y in its body u. Abstractions are thus 
copied in two stages. The first one is implemented by the rule dist, creating a 
distributor in which a potentially replaceable abstraction is placed, while moving 
its body inside a new ES. There are then two ways to replicate nodes of the body. 
Either they can be copied inside the distributor (where the binding relation 
between Ay and the bound occurrences of y is kept intact), or they can be 
pushed outside the distributor, by means of the (non-deterministic) rule abs. In 
the second case, however, free occurrences of y cannot be pushed outside the 
abstraction (with binder y) to be duplicated, at the risk of breaking consistency: 
only shared components without y links can be then pushed outside. These 
components are gathered together into a list context L, which is pushed outside 
by using permutation rules, before performing the substitution of the pure body 
containing all the bound occurrences of y. Specifying this operation using only 
distance is hard, thus permutation rules are also used in our rule abs. 

The s-substitution relation +, (resp. distant Beta relation —ag) is defined as 
the closure of app U Haist U Habs U Hvar (resp. ag) under all contexts, and 
the reduction relation —, is the union of +, and — gg. 


Example 1. Let to = (Av1.%1)(Ay.Ty). In what follows, we underline the term 
where the reduction is performed: 


to an 21[%1\Ay-Ty] >aist 1[21\Ay-2[2\Iy]] Sapp 11 [21 Ay. (4122) [21 \T][z2\yI] 
aist T1 [x1 Ay. (2122) [21\Av3.23[23 rs] [22\yl] 
var ©1[21\Ay.(z1y) [21 \Av3-23[23\23]] ] Sars (Ay-21y) [21 \\Ar3-23[23\r3]] 


Let R be any reduction relation. We write >} for the reflexive-transitive 
closure of +r. A term t is said to be R-confluent iff t >k u and t >h s 
implies there is t’ such that u >} t and s >} t’. The relation R is confluent 
iff every term is R-confluent. A term t is said to be in R-normal form (written 
also R-nf) iff there is no t’ such that t >r t. A term t is said to be R- 
terminating or R-normalizing iff there is no infinite ?-sequence starting at 
t. The reduction F is said to be terminating iff every term is R-terminating. 


Levels. The notion of level plays a key role in this work. Intuitively, the level 
of a variable in a term indicates the maximal depth of its free occurrences w.r.t. 
ES (and not w.r.t. explicit distributors). However, in order to keep soundness 
w.r.t. the permutation rules, levels are computed along linked chains of ES. 
For instance, the level of w in both z[x\y[y\w]] and a[x\y][y\w] is 2. Formally, 
the level of a variable z in a term t is defined by (structural) induction, while 
assuming by a-conversion that z is not a bound variable in t: 


lv.(%):=0  1v.(tit2) := max(1vz(t1),1lvz(t2)) vz (Ay.t) := 1v.(t) 


mirae ee if z ¢ fv(u) 


max(lv,(t),1lv,(t) + 1v.(u) + 2(<)) otherwise 
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Notice that lv,,(¢) = 0 whenever w ¢ fv(t) or t is pure. We illustrate the 
concept of level by an example. Consider t = x[x\z[y\w]][w\w’], then lv. (¢) = 1, 
lvw (t) = 3 and 1v,(t) = 0 because y ¢ fv(t). This notion is also extended to 
contexts as expected, i.e. 1vo(C) = 1vz(C((z))), where z is a fresh variable. 


Lemma 2. Lett € Ag. If to 7,5 ti, then lvw(to) > lvw(ti) for any w E€ X. 


It is worth noticing that there are two cases when the level of a variable in 
a term may decrease: using a permutation rule to push an explicit cut out of 
another cut when the first one is a void cut, or using rule var. 

Hence, levels alone are not enough to prove termination of —>s. We then 
define a decreasing measure for +, in which not only variables are indexed by 
a level, but also constructors. For instance, in t[x\Ay.yz], we can consider that 
the level of all the constructors of Ay.yz have level 1v,(t). This will ensure that 
the level of an abstraction will decrease when applying rule dist, as well as the 
level of an application when applying rule app. This is what we do next. 


3 Operational Properties 


We now prove three key properties of the AR-calculus: termination of the reduc- 
tion system —,, relation between AR and the A-calculus, and confluence of the 
reduction system —)k. 


Termination of >,. Some (rather informal) arguments are provided in [33] to 
justify termination of the substitution subrelation of their whole calculus. We 
expand these ideas into an alternative full formal proof adapted to our case, 
which is based on a measure being strictly decreasing w.r.t. 5. 

We consider a set O of objects of the form a(k,n) or b(k) (k,n € N), which 
is equipped with the following ordering >°: 


a(k,n) >? ah n) if k >k', or (k =k' and n >n’) b(k) >° alk n) if k > k' 
a(k,n) >? b(k') ifk>k b(k) >? blk’) ifk>k' 


Lemma 3. The order >È on the set O is well-founded. 


We write >Q, for the multiset extension of the order >° on O, which turns 
out to be well-founded [8] by Lem. 3. We are now ready to (inductively) define 
our cuts level measure C (_) on terms, where the following operation on multi- 
sets is used p- M := [a(p + k,n) | a(k, n) € M] U [b(p + k) | b(k) € M], where U 
denotes multiset union. 


Ci(z):=[] C (Ax.t) := C(t) C (tu) := C(t) UC (u) 
C (¢[ar\u]) := C (t) U (va (t) + 1) - C (u) U [a(lva(t) + 1, |u))] 
C (é[ar\u]) := C(t) Uva (t) - C (u) U [bva (t))] 
Intuitively, the integer k in a(k, n) and b(k) counts the level of variables bound 


by explicit cuts, while n counts the size of terms to be substituted by an ES. 
Remark that for every pure term p we have C (p) = []. Moreover: 
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Lemma 4. Let tọ E€ Ag. Then to >r tı (resp. to +5 tı) implies C (to) >O, 
C (t1) (resp. C (to) >x C (t1))- 


As an example, consider the following reduction sequence: 


to = (yy)[y\(Az.x)w] app (Yi ¥2) (Yy1Y2)ly1\Az-x][y2\w] = tı var 
tə = (yiw)(yiw)[yi\Az.2] aise (yw) (yw) jy Azre] = ts 


We have C (to) = [a(1, 4], C t1) = [a(1,1),a(1,2)], C (t2) = [a(1,2)], C (ts) = 
[a(1, 1), b(0)]. So C (t;) >un C (ti+1) for i = 0,1, 2,3. 


Corollary 5. The reduction relation +, is terminating. 


Simulations. We show the relation between AR and the à-calculus, as well as the 
atomic A-calculus. For that, we introduce a projection from AR-terms to A-terms 
implementing the unfolding of all the explicit cuts: at := a, (Ax.t)} := Artt, 
(tu)! := ttut, (t[z <u])} := t{z\ut}. Thus e.g. z[z\z][y\w][w\w'’}* = z. 


Lemma 6. Let to € Ar. If to SR ti, then i aad tt. In particular, if either 
to >r tı or to >s tı, then th =t}. 


The relation +, enjoys full composition on pure terms, namely, for any 
p € A, t[x\p| > t{ax\p}. This property does not hold in general. Indeed, 
if t = xa, then (xx){x\z[z\w]] does not s-reduce to (z[z\w])(z[z\w]), but to 
(zz)[z\w]. However, full composition restricted to pure terms is sufficient to 
prove simulation of the A-calculus. 


Lemma 7 (Simulation of the )-calculus). Let po € A. If po >s pi, then 
Po az pi- 


The previous results have an important consequence relating the original 
atomic A-calculus and the AR-calculus. Indeed, it can be shown that reduction 
in the atomic A-calculus is captured by AR, and vice-versa. More precisely, the 
AR-calculus can be simulated into the atomic \-calculus by Lem. 6 and [33], while 
the converse holds by [33] and Lem. 7. 

A more structural correspondence between AR and the atomic A-calculus 
could also be established. Indeed, AR can be first refined into a (non-linear) 
calculus without distance, let say AR’, so that permutation rules are integrated 
in the intermediate calculus as independent rules. Then a structural relation can 
be established between AR and XR’ on one side, and AR’ and the atomic A-calculus 
on the other side (as for example done in [43] for the A-calculus). 


Confluence. By Cor. 5 the reduction relation —, is terminating. It is then 
not difficult to conclude confluence of +, by using the unfolding function +. 
Therefore, by termination of >, any t € Ag has an s-nf, and by confluence this 
s-nf is unique (and computed by the unfolding function). Using the interpretation 
method [35] together with Lem. 6, Cor. 5, and Lem. 7, one obtains: 


Theorem 8. The reduction relation +, is confluent. 
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4 Encoding Evaluation Strategies 


In the theory of programming languages [56], the notion of calculus is usually 
based on a non-deterministic rewriting relation, providing an equational system 
of calculation, while the deterministic notion of strategy is associated to a con- 
crete machinery being able to implement a specific evaluation procedure. Typical 
evaluation strategies are call-by-name, call-by-value, call-by-need, etc. 

Although the atomic A-calculus was introduced as a technical tool to imple- 
ment full laziness, only its (non-deterministic) equational theories was studied. In 
this paper we bridge the gap between the theoretical presentation of the atomic 
A-calculus and concrete specifications of evaluation strategies. Indeed, we use 
the AR-calculus to investigate two concrete cases: a call-by-name strategy imple- 
menting weak head reduction, based on full substitution, and the call-by-need 
fully lazy strategy, which uses linear substitution. 

In both cases, explicit cuts can in principle be placed anywhere in the dis- 
tributors, thus demanding to dive deep in such terms to deal with them. We 
then restrict the set of terms to a subset U, which simplifies the formal rea- 
soning of explicit cuts inside distributors. Indeed, distributors will all be of the 
shape [x\\Ay.L(p)], where p is a pure term (and L is a commutative list defined 
below). We argue that this restriction is natural in a weak implementation of 
the A-calculus: it is true on pure terms and is preserved through evaluation. We 
consider the following grammars. 


(Linear Cut Values) T ::= A\xz.LL(p) where y € dlc(LL) => |p|, =1 
(Commutative Lists) LL ::= O | LL[«\p] | LL[a\\T] where |LL|, = 0 
(Values) v n= ATD 

(Restricted Terms) U :=2|v|UU|U[2\U] | U[x\\T] 


A term t generated by any of the grammars G defined above is written t € G. 
Thus e.g. Av.(yz)[y\I][z\I] € T but Ax.(yy)fy\I] ¢ T, Gla\yz][a’\I] € LL but 
(x\yz][y\ I] ¢ LL, and (yz)[y\I] € U but (yz)[y\Av-(yy)[y\T) ¢ U. 

The set T is stable by the relation >,, but U is clearly not stable under the 
whole —>p relation, where dB-reductions may occur under abstractions. However, 
U is stable under both weak strategies to be defined: call-by-name and call-by- 
need. We factorize the proofs by proving stability for a more general relation 
—r’, defined as the relation >, with dB-reductions forbidden under abstractions 
and inside distributors. 


Lemma 9 (Stability of the Grammar by —>,/—’). 


1. Ift€T andt>, Ut’, then t ET. 
2. Ift € Uandt—,p t, then t €U. 


4.1 Call-by-name 


The call-by-name (CBN) strategy name (Fig. 1) is defined on the set of terms 
U as the union of the following relations —>nab and —>ns. The strategy is weak as 
there is no reduction under abstractions. It is also worth noticing (as a particular 
case of Lem. 9) that t € U and t —>nane t implies t’ € U. 
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toat t nav t! t nav t 
E (dB) ne (app_dB) ean Sax He ad (sub_dB) 
test trons t tn t 
Saat Gee OO Gee) 
Fig. 1. Call-by-Name Strategy 
Example 10. Let to = (Az1.I(x1I))(Ay.Iy). Then, 
(aB) (sub_s) 


to > (I(a1I)) [ari \Ay-Ty] >E, (I(e11))[21\Ay-z[z\Iyl] Ss 


(I(x 1))[ar\Ay- zly] EÀ ((erT))[er\Ay-(a1y)| E, 


(AYANT aA 3S?) xo [xo\(Ay-21y)T] [za \1] 


Although the strategy name is not deterministic, it enjoys the remarkable di- 
amond property, guaranteeing in particular that all reduction sequences starting 
from ¢ and ending in a normal form have the same length. 

It is worth noticing that simulation lemmas also hold between call-by-name 
in the A-calculus, known as weak head reduction and denoted by —>whr, and the 
AR-calculus. Indeed, —,nr is defined as the 6-reduction rule closed by contexts 
E ::= O | Et. Then, as a consequence of Lem. 7, we have that po —>whr pı implies 
po >} pı, and as a consequence of Lem. 6, we have that to —name tı implies 
t >53 tt. More importantly, call-by-name in the -calculus and call-by-name in 
the AR-calculus are also related. Indeed, 


Lemma 11 (Relating Call-by-Name Strategies). 


— Let po € A. If po unr pı then po fame P1- 
— Letto € U. If to >nane tı then ty Sty. 


whr 


4.2 Call-by-need 


We now specify a deterministic strategy flneed implementing demand-driven 
computations and only linearly replicating nodes of values (i.e. pure abstrac- 
tions). Given a value Ax.p, only the piece of structure containing the paths 
between the binder Ax and all the free occurrences of x in p, named skeleton, 
will be copied. All the other components of the abstraction will remain shared, 
thus avoiding some future duplications of redexes, as explained in the introduc- 
tion. By copying only the smallest possible substructure of the abstraction, the 
strategy flneed implements an optimization of call-by-need called fully lazy 
sharing [60]. First, we formally define the key notions we are going to use. 

A free expression [39,9] of a pure term p is a strict subterm q of p such 
that every free occurrence of a variable in q is also a free occurrence of the 
variable in p. A free expression of p is maximal if it is not a subterm of 
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another free expression of p. From now on, we will consider the multiset of all 
maximal free expressions (MFE) of a term. Thus e.g. the MFEs of Ay.p, where 
p = (Iy)I(Az.zyw), is given by the multiset |I, I, w]. 

An n-ary context (n > 0) is a term with n holes O. A skeleton is an n- 
ary pure context where the maximal free expressions w.r.t. a variable set 0 are 
replaced with holes. Formally, the -skeleton {{p}}" of a pure term p, where 
6 = {z1 ... £n}, is the n-ary pure context {fp}? such that {fp}? (q,---,¢n) =D, 
for [q1,.--, qn] the maximal free expressions of \z,....Avp-p 4. Thus, for the 
same p as before, Ay.{{p}¥ = Ay.(Gy)O(Az.zyQ). 


The Splitting Operation. Splitting a term into a skeleton and a multiset 
of MFEs is at the core of full laziness. This can naturally be implemented in 
the node replication model, as observed in [33]. Here, we define a (small-step) 
strategy 5: on the set of terms T to achieve it (Fig. 2), which is indeed a 
subset of the reduction relation \R°. The relation + 5, makes use of four basic 
rules which are parameterized by the variable y upon which the skeleton is built, 
written +”. There are also two contextual (inductive) rules. 


y € fv(pip2) 

t\y] var t{x\y} tla\pi po] Happ t{x\21%2 } lars \pi][x2\p2] 

y € fv(Az.p) y € fv(Az.LL(p)) z € fv(LL) 

t[\Xz.p] >is t[a\\Az-wlw\p]] HEN AZLL(p)] Hs LL (tL a\ Az-p}) 

t” t yetv(t) y¢ fv(LL) t>st  yEfv(t) y ¢ fv(LL) 
— ——qx—eqjKr etx oom ctx 

Ay-LL(t) st Ay-LL(t’) Ay-LL(ula\\t]) st Ay-LL(u[x\t’]) 

Fig. 2. Relation —>st: Splitting Skeleton and MFEs in Small-Step Semantics 


Example 12. Let y,z ¢ fv(t), so that t is the MFE of Ay.x[x\Az.(yt)z]. Then, 
Ay.x[x\rz.(yt)z] 435, Ay-z[2\Az.w[w\ (yt) z]] Fe 

Ay.2|v\rz.(wiwe)[wr\yt] [we\z]] oar Ayv[x\Az.(wiz) [wr\yt] ] eps 
Ay.(Az.w1z)[w1\yt] opp Ay-(Az.(@182)2) [x1 \yl[a2\t] Yar Ay-(Az-(yx2)2)[22\t] 


Notice that the focused variable changes from y to z, then back to y. This is 
because +; constructs the innermost skeletons first. 


Lemma 13. The reduction relation >s is confluent and terminating. 


Thus, from now on, we denote by Į + the function relating a term of T to its 
unique st-nf. 


4 The order of variables in the set 6 is indeed irrelevant. 
5 Since +, acts only on terms in T, it is handled by linear substitution. 
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Lemma 14 (Correctness of >+). Let p € A and q,...,dn be the MFEs 
of Ay-p. Then dy.z[z\p] Ve, Ay- APRE (21, -.-,@n)[zi\dili<n where the variables 
1,---,%pn are fresh and pairwise distinct. 


Since the small-step semantics is contained in the AR-calculus, we use it to 
build our call-by-need strategy of AR. 


The strategy. The call-by-need strategy —ineea (Fig. 3) is defined on the 
set of terms U, by using closure under the need contexts, given by the grammar 
N ::= O | Nt | N[a <t] | N(x))[x\N], where N((_)) denotes capture-free application 
of contents (Sec. 2). As for call-by-name (Sec. 4.1), the call-by-need strategy is 
weak, because no meaningful reduction steps are performed under abstractions. 


L(Ax.p)u a L(p[2\ul) 
N(x) [2\L(Ay-p)] sp. LLN (x) [\Ay-p'])) i£ Ay.z[z\p] bee AY-LL(p’) 
N(x) [e\o] suw N(v))[x\o] 
Fig. 3. Call-by-Need Strategy 


Rule dB is the same one used to define name. Although rules spl and sub 
could have been presented in a unique rule of the form N((x))[z\L(Ay.p)] > 
L(LL(N((Ay.p’)) [x\Ay.p’])), we prefer to keep them separate since they represent 
different stages in the strategy. Indeed, rule spl only uses node replication op- 
erations to compute the skeleton of the abstraction, while rule sub implements 
one-shot linear substitution. 

Notice that as a particular case of Lem. 9, t € U and t —+¢1neeq t implies 
t € U. Another interesting property is that t —>suw t implies lv,(t) > 1lv.(t’). 
Moreover, —¢1neea iS deterministic. 


Example 15. Let tg = (Aw.(1(Ix)))Ay.yI. Needed variable occurrences are high- 
lighted in orange . 


to ras (I(Ix))[a\Ay.yT] an Er [x1 \La][2\Ay-yT] 
ap €1[01\ro[x2\ #|]la\Ay-yI] spr 21 [21 \x2[r2\\@ ])[x\Ay-yzi][a1 \T] 
sub 11[01\)@2 [2\Ay-yzi]][2\Ay-yzi] [21 \1] 
spi 21 [01\/@2 [x2 \Ay-yz2][22\z1]][2\Ay-yzi] [21 \1) 
sup ET [21\(Ay-yz2) [w2\Ay-y2a][22\a] [x\Ay-yzi][21\1] 
spr TI [z1 \Ay-yzs][23\z2] [v2 \Ay-yza][z2\z1][@\Ay-yz1][21\1] 
suv (Ay-¥23)[21\Ay-yza] [23 \22][22\Ay-y2a][22\ 1] [2 \Ay-yzi] [21 \1] 


5 A Type System for the AR-calculus 


This section introduces a quantitative type system V for the AR-calculus. Non- 
idempotent intersection [26] has one main advantage over the idempotent model 
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[14]: it gives quantitative information about the length of reduction sequences to 
normal forms [21]. Indeed, not only typability and normalization can be proved to 
be equivalent, but a measure based on type derivations provides an upper bound 
to normalizing reduction sequences. This was extensively investigated in different 
logical/computational frameworks [5,18,20,25,42,47]. However, no quantitative 
result based on types exists in the literature for the node replication model, 
including the attempts done for deep inference [30]. The typing rules of our 
system are in themselves not surprising (see [46]), but they provide a handy 
quantitative characterization of fully lazy normalization (Sec. 6). 

Types are built on the following grammar of types and multi-types, where 
a ranges over a set of base types and a is a special type constant used to type 
terms reducing to normal abstractions. 


(Types) g:=ala|M-a (Multi-Types) M := [oi)ier 


We write |M| to denote the size of a multi-type M. Typing contexts, 
written I’, A, X are functions from variables to multiset types, assigning the 
empty multiset to all but a finite set of variables. The domain of I" is given by 
dom(I") := {x | r(x) # | ]}. The union of contexts, written [+ A, is defined 
by (I + A)(a) := P(x) U A(x), where U denotes multiset union. An example 
is (x : [ol,y: [T]) + (æ : [ø], z : [T]) = (x : [o,o],y : [7], z : [7]). This notion is 
extended to several contexts as expected, so that +;¢,;I; denotes a finite union 
of contexts, and the empty context when J = 0. We write I’; A for IT + A when 
dom(I") N dom(A) = Ø. Type judgments have the form I F t: o, where T is a 
typing context, t is a term and ø is a type. 


(ax) Tixi MF tig Frt:Ma>oaAFu:M 
Peace aS = 
i : TF Ant: Moo [+Attu:o 
(i Ft: os)ier Pye: MbeRti¢o Aru:iM 
ans (many) (cut) 
F Aztia tier F t: [oijier r+AF tzau]: o 
Fig. 4. Typing System V 


A (typing) derivation is a tree obtained by applying the (inductive) typing 
rules of system V (Fig. 4), introduced in [46]. The notation ® œ I F t: o means 
there is a derivation named ® of the judgment I F t : ø in system V. A term t is 
typable in system V, or Y-typable, iff there is a context I’ and a type ø such that 
@>I' t:o. The size of a type derivation sz() is defined as the number 
of its abs, app and ans rules. The typing system is relevant in the sense that 
@ >I t:o implies dom(I’) C fv(t). 

Type derivations can be measured by 3-tuples. We use a + operation on 
3-tuples as pointwise addition: (a,b,c) + (e, f,g) = (a +e,b + f,c + g). These 3- 
tuples are computed by a weighted derivation level function defined on typing 
derivations as D (®) := M(@,1), where M (—, —) is inductively defined below. In 
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the cases (abs), (app) and (cut), we let P, (resp. B) be the subderivation of 
the type of t (resp. Pu) and in (many) we let & be the i-th derivation of the type 
of t for each 7 € I. 


— For (ax), M (z, m) = (0,0, 1), 


— For (abs), M (yst, Mm) = M (&,m) + (1,m, 0). 

— For (ans), M (Syz, m) = (1,m, 0). 

— For (app), M (tu, m) = M (Si, m) +M (Bu, m) + (1,m, 0). 

— For (cut), M Moa =M (Si, m) +M (Pu, M + 1vz(t) + z(4)). 
— For (many), M (@:,m) = Xer M (Øi, m). 


Notice that the first and the third components of any 3-tuple M (8, m) do not 
depend on m. Intuitively, the first (resp. third) component of the 3-tuple counts 
the number of application/abstraction (resp. (ax)) rules in the typing derivation. 
The second one takes into account the number of application/abstraction rules 
as well, but weighted by the level of the constructor. The 3-tuples are ordered 
lexicographically. 


Example 16. Let o = |r] + 7. Consider the following type derivation ®: 


aeea 
. — (ax (many) 
y:lolFy:o z: [r] Fz: [7] 
: : : (app) 
y : [øo], z : [r] F yz: T 
w:[r]Fa:t ai y: [e], z : [r] F yz : [r] i (cut) 


y : [ø], z : [r] F a[a\yz] : T 


This gives D(®) = (1,2,3). Moreover, for x[x\yz] —>app (z1£2)[x1 \y][z2\z] we 
have P > y : [ø], z : [r] F (x1x2)lzı\y][r2\z] : 7 and D (@’) = (1,1,4). 


6 Observational Equivalence 


The type system V characterizes normalization of both name and flneed strate- 
gies as follows: every typable term normalizes and every normalisable term is 
typable. In this sense, system V can be seen as a (quantitative) model [17] of our 
call-by-name and call-by-need strategies. We prove these results by studying the 
appropriate lemmas, notably weighted subject reduction and weighted subject 
expansion. We then deduce observational equivalence between the name and the 
flneed strategies from the fact that their associated normalization properties 
are both fully characterized by the same typing system. 


Soundness. Soundness of system VY w.r.t. both —name and —¢1neeq iS investi- 
gated in this section. More precisely, we show that typable terms are normalizing 
for both strategies. In contrast to reducibility techniques needed to show this 
kind of result for simple types [34], soundness is achieved here by relatively sim- 
ple combinatorial arguments based again on decreasing measures. We start by 
studying the interaction between system VY and linear as well as full substitution. 
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Lemma 17 (Partial Substitution). Let 8 >œ T;a:M + Cx} : o and 
denote multiset inclusion. Then, there exists N E M such that for every Pu 
Atu:N we haeWoDr+A;¢:M\N F Cu) : o and, for everym € N, 
M (Y, m) = M (8, m) + M (ua, m + 1vo(C)) — (0,0, |M). 


Corollary 18 (Substitution). If be> l;x:MFt:o and&, > AF u: M, 
then POI + At t{x\u}: o, and for allm € N we have M (8, m) < M (8, m) + 
M (u, Mm + 1vz(t)). Moreover, |M| > 0 iff the inequality is strict. 


The key idea to show soundness is that the measure D (_) decreases w.r.t. the 
reduction relations —name and —ineea! 


Lemma 19 (Weighted Subject Reduction). Let P > I F to: oc. 


1. If to >x ti, then there exists B, > T ty: 0 such that D (Be) = D (B4). 
2. If to >s ti, then there exists Bi, > T F tı :o such that D (B) > D(a, ). 
3. If to nav ti, then there exists Be, > I F ty: o such that D (Bi) > D (B4). 
4. If to 41neea ti, then there exists P >I F tı : o such that D (®,,) > D (84). 


Proof. By induction on r € {7,s,ndb, flneed}, using Lem. 17 and Cor. 18. 


Theorem 20 (Typability implies name-Normalization). Let ®:> 0b t:o. 
Then t is name-normalizing. 


Proof. Suppose t is not name-normalizing. Since —>s is terminating by Cor. 5, 
then every infinite +pame-reduction sequence starting at t must necessarily have 
an infinite number of dB-steps. Moreover, all terms in such an infinite sequence 
are typed by Lem 19. Therefore, Lem. 19:3 (resp. Lem. 19:2) guarantees that all 
dB (resp. s) reduction steps involved in such —yame-reduction sequence strictly 
decrease (resp. do not increase) the measure D (_). This leads to a contradiction 
because the order > on 3-tuples D (_) is well-founded. Then t is necessarily name- 
normalizing. 


Theorem 21 (Typability implies flneed-Normalization). Let &, > + 
t:o. Then t is flneed-normalizing. Moreover, D(®,) is an upper bound to the 
length of the flneed-reduction evaluation to flneed-nf. 


Proof. The property trivially holds by Lem. 19:4 since the lexicographic order 
on 3-tuples is well-founded. 


Completeness. We address here completeness of system V with respect to 
name and —¢i1neea- More precisely, we show that normalizing terms in each 
strategy are typable. The basic property in showing that consists in guaranteeing 
that normal forms are typable. 

The following lemma makes use of a notion of needed variable: 
nv(x) := {x}, nv(tu) := nv(t), nv(t[2\u]) := nv(t), nv(Az.t) := 0, nv(tly\u]) := 
(nv(t) \ {y}) Unv(u) if y € nv(t) and nv(t[y\u]) := nv(t) otherwise. 


Lemma 22 (flneed-nfs are Typable). Let t be in flneed-nf. Then there 
exists a derivation Pœ I F t: 7 such that for any x ¢ nv(t), P(x) = [|]. 
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Because name-nfs are also f1lneed-nfs, we infer the following corollary for free. 


Corollary 23 (name-nfs are Typable). Let t be in name-nf. Then there is a 
derivation P&I t: rT. 


Now we need lemmas stating the behavior of partial and full (anti-)substitu- 
tion w.r.t. typing. 


Lemma 24 (Partial Anti-Substitution). Let C((x)), u be terms s.t. x ¢ fv(u 
and B> T F Clu} : o. Then AI’, SA, IM, IP', IP, s.t. IT = I" + A, P > 
I'+x:MEFC{r}:o andu > AF u: M. 

Corollary 25 (Anti-Substitution). Letu be a term s.t. x ¢ fv(u) and œI + 
t{x\u}: o. Then II, SA, IM, IP’, IB, s.t. T = I'+ A, Pol's: MFt:0 
and BL > AF u: M. 


To achieve completeness, we show that typing is preserved by anti-reduction. 
We decompose the property as follows: 


Lemma 26 (Subject Expansion). Let ba >I F tı: 0. If to >r ti, where 
r € {m,s,ndb, flneed}, then there exists P > T F to: oa. 


Proof. The proof is by induction on >, and uses Lem. 24 and Cor. 25. 


Theorem 27 (name-Normalization implies Typability). Let t be a term. 
Ift is name-normalizing, then t is V-typable. 


Proof. Let t be name-normalizing. Then t >?) u and u is a name-nf. We reason 


by induction on n. If n = 0, then t = u is typable by Cor. 23. Otherwise, we 
have t name t +”, U. By the ih. t is typable and thus by Lem. 26 (because 
— ns is included in —,), t turns out to be also typable. 


Theorem 28 (flneed-Normalization implies Typability). Lett be a term. 
Ift is flneed-normalizing, then t is V-typable. 


Proof. Similar to the previous proof but using Lem. 22 instead of Cor. 23. 
Summing up, Thms. 20, 27, 21 and 28 give: 


Theorem 29. Lett be a \R-term. t is name-normalizing iff t is flneed-norma- 
lizing iff t is V-typable. 


All the technical tools are now available to conclude observational equiv- 
alence between our two evaluation strategies based on node replication. Let 
R be any reduction notion on Ag. Then, two terms t,u € Ag are said to be 
R-observationally equivalent, written t = u, if for any context C, C(t) is 
R-normalizing iff C(u) is R-normalizing. 

Theorem 30. For all terms t,u € Agr, t and u are name-observationally equiv- 
alent iff t and u are flneed-observationally equivalent. 

Proof. By Thm. 29, t =name u means that C(t) is V-typable iff Clu) is V-typable, 
for all C. By the same theorem, this is also equivalent to say that C(t) is flneed- 
normalizing iff C(u) is flneed-normalizing for any C, i.e. t =sineea U- 
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7 Related Works and Conclusion 


Several calculi with ES bridge the gap between formal higher-order calculi and 
concrete implementations of programming languages (see a survey in [40]). The 
first of such calculi, e.g. [1,16], were all based on structural substitution, in the 
sense that the ES operator is syntactically propagated step-by-step through the 
term structure until a variable is reached, when the substitution finally takes 
place. The correspondence between ES and Linear Logic Proof-Nets [24] led to 
the more recent notion of calculi at a distance [6,4,2], enlightening a natural and 
new application of the Curry-Howard interpretation. These calculi implement 
linear/partial substitution at a distance, where the search of variable occurrences 
is abstracted out with context-based rewriting rules, and thus no ES propaga- 
tion rules are necessary. A third model was introduced by the seminal work of 
Gundersen, Heijltjes, and Parigot [33,34], introducing the atomic A-calculus to 
implement node replication. 

Inspired by the last approach we introduced the AR-calculus, capturing the 
essence of node replication. In contrast to [33], we work with an implicit (struc- 
tural) mechanism of weakening and contraction, a design choice which aims at 
focusing and highlighting the node replication model, which is the core of our 
calculus, so that we obtain a rather simple and natural formalism used in par- 
ticular to specify evaluation strategies. Indeed, besides the proof of the main 
operational meta-level properties of our calculus (confluence, termination of the 
substitution calculus, simulations), we use linear and non-linear versions of AR 
to specify evaluation strategies based on node replication, namely call-by-name 
and call-by-need evaluation strategies. 

The first description of call-by-need was given by Wadsworth [60], where re- 
duction is performed on graphs instead of terms. Weak call-by-need on terms 
was then introduced by Ariola and Felleisen [7], and by Maraist, Odersky and 
Wadler [54,53]. Reformulations were introduced by Accattoli, Barenbaum and 
Mazza [3] and by Chang and Felleisen [22]. Our call-by-need strategy is in- 
spired by the calculus in [3], which uses the distance paradigm [6] to gather 
together meaningful and permutation rules, by clearly separating multiplicative 
from exponential rules, in the sense of Linear Logic [27]. 

Full laziness has been formalized in different ways. Pointer graphs [60,59] 
are DAGs allowing for an elegant representation of sharing. Labeled calculi [15] 
implement pointer graphs by adding annotations to A-terms, which makes the 
syntax more difficult to handle. Lambda-lifting [38,39] implements full laziness 
by resorting to translations from A-terms to supercombinators. In contrast to all 
the previous formalisms, our calculus is defined on standard A-terms with explicit 
cuts, without the use of any complementary syntactical tool. So is Ariola and 
Felleisen’s call-by-need [7], however, their notion of full laziness relies on external 
(ad-hoc) meta-level operations used to extract the skeleton. Our specification of 
call-by-need enjoys fully lazy sharing, where the skeleton extraction operation 
is internally encoded in the term calculus operational semantics. Last but not 
least, our calculus has strong links with proof-theory, notably deep inference. 
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Balabonski [10,9] relates many formalisms of full laziness and shows that 
they are equivalent when considering the number of 8-steps to a normal form. 
It would then be interesting to understand if his unified approach, (abstractly) 
stated by means of the theory of residuals [50,51], applies to our own strategy. 

We have also studied the calculus from a semantical point of view, by means 
of intersection types. Indeed, the type system can be seen as a model of our 
implementations of call-by-name and call-by-need, in the sense that typability 
and normalization turn out to be equivalent. 

Intersection types go back to [23] and have been used to provide char- 
acterizations of qualitative [14] as well as quantitative [21] models of the A- 
calculus, where typability and normalization coincide. Quantitative models spec- 
ified by means of non-idempotent types [26,48] were first applied to the A- 
calculus (see a survey in [19]) and to several other formalisms ever since, such 
as call-by-value [25,20], call-by-need [42,5], call-by-push-value [31,18] and clas- 
sical logic [47]. In the present work, we achieve for the first time a quantitative 
characterization of fully lazy normalization, which provides upper bounds for 
the length of reduction sequences to normal forms. 

The characterizations provided by intersection type systems sometimes lead 
to observational equivalence results (e.g. [42]). In this work we succeed to prove 
observational equivalence related to a fully lazy implementation of weak call-by- 
need, a result which would be extremely involved to prove by means of syntactical 
tools of rewriting, as done for weak call-by-need in [7]. Moreover, our result im- 
plies that our node replication implementation of full laziness is observationally 
equivalent to standard call-by-name and to weak call-by-need (see [42]), as well 
as to the more semantical notion of neededness (see [45]). 

A Curry-Howard interpretation of the logical switch rule of deep inference is 
given in [58,57] as an end-of-scope operator, thus introducing the spinal atomic À- 
calculus. The calculus implements a refined optimization of call-by-need, where 
only the spine of the abstraction (tighter than the skeleton) is duplicated. It 
would be interesting to adapt the AR-calculus to spine duplication by means of an 
appropriate end-of-scope operator, such as the one in [37]. Further optimizations 
might also be considered. 

Finally, this paper only considers weak evaluation strategies, i.e. with re- 
ductions forbidden under abstractions, but it would be interesting to extend 
our notions to full (strong) evaluations too [29,12]. Extending full laziness to 
classical logic would be another interesting research direction, possibly taking 
preliminary ideas from [36]. We would also like to investigate (quantitative) tight 
types for our fully lazy strategy, as done for weak call-by-need in [5], which does 
not seem evident in our node replication framework. 
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Abstract. We prove that if a data language and its complement are 
both recognized by nondeterministic register automata (without guess- 
ing), then they are also recognized by deterministic ones. 


Keywords: Data languages, register automata, determinizability, de- 
terministic separability, sets with atoms, orbit-finite sets, nominal sets 


1 Introduction 


Register automata are finite-state automata equipped with a finite number of 
registers that can store values from an infinite data domain. When processing an 
input string, an automaton compares the current input data value to its registers 
and, based on this comparison and on the current control state, it chooses its 
next control state and possibly stores the input value in one of its registers. In 
the original model, introduced over 25 year ago by Francez and Kaminski [15], 
data values can only be compared for equality and not for any other property. 
Subsequent extensions of the model allow for comparing data values with respect 
to some fixed relations such as a total order, or introduce alternation, variations 
on the allowed form of nondeterminism, etc. 

It appears that register automata lack most of the good properties known 
from the classical theory of finite automata. For example, while languages of 
nondeterministic register automata are closed under unions and intersections, 
they are not closed under complement, and they do not determinize. Moreover, 
the expressivity of register automata is very sensitive to natural variants and 
extensions. Any of the following relaxations of the model leads to a strict increase 
of expressive power (see [15,23,1] for details): 


— increasing the number of registers (when this number is bounded), 

— extension from one-way to two-way automata, 

— extension from deterministic to unambiguous, nondeterministic or alternat- 
ing ones, 
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— adding the capability to nondeterministically guess data values. 


In fact, almost every combination of these extensions leads to a different class 
of recognized languages. Furthermore, no satisfactory characterizations of lan- 
guages of register automata in terms of regular expressions [17,20] or logic [23,12] 
are known. There are a few positive results: a simulation of two-way nondeter- 
ministic automata by one-way alternating automata with guessing [1], a 
Myhill-Nerode characterization of languages of deterministic automata [16,4,5], 
and the well-behaved class of languages definable by orbit-finite monoids [2], 
which admits equivalent characterisations in terms of logic [11] and a syntactic 
subclass of deterministic automata [7]. Nevertheless, register automata satisfy 
almost no semantic equivalences that hold for classical finite automata. 


Contribution. Our primary contribution is a collapse result: if a language and its 
complement are both recognized by nondeterministic register automata (NRA), 
then they are both recognized by deterministic ones (DRA). In symbols, we prove 
the following equality of language classes: 


NRA N co-NRA = DRA. 


This result is shown under the assumption that the data values can be compared 
only for equality, and it turns out to be quite fragile. For instance, it fails if the 
automata can compare data values using a total order relation. It also fails if 
NRA are additionally equipped with the capability of guessing fresh data values, 
even when data values can only be compared for equality. 

Our secondary contribution is a collapse result for NRA with 1 register only 
(1-NRA), but over an arbitrary data domain that admits well quasi-order (WQo), 
meaning roughly that finite induced substructures of the data domain, ordered by 
embeddings, form a wQo. This includes both equality and ordered data domains. 
In short, we prove the following inclusion of language classes: 


1-NRA N co-1-NRA C DRA. 


The inclusion is strict, as some DRA languages are not recognizable by 1-NRA. 

Our proofs are mostly self-contained, but use basic notions and results about 
sets with atoms [1], also known as nominal sets [24]. In particular, automorphisms 
of the data domain play a central role in our arguments, and we extensively use 
notions such as finite support and orbit-finiteness of sets. In both results, we 
prove that for every data language L € NRA  co-NRA the set of derivative 
languages w7! L is orbit-finite, i.e., finite up to automorphism of data values. The 
collapse then follows from an orbit-finite version of the Myhill-Nerode theorem. 

In our primary contribution, orbit-finiteness of the set of derivative languages 
is a consequence of a key technical result (Lem. 1), an abstract observation about 
orbit-finite families of sets, which we believe may be of independent interest. As 
another example application of this lemma, we give a new proof of decidability 
of universality for unambiguous register automata (URA). 
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Relation to other work. Our primary result partially confirms a conjecture of 
Thomas Colcombet [10], according to which every two disjoint languages of NRA 
with guessing are separable by a language recognized by an URA. Working in the 
special case when the NRA are complementing and have no guessing, we show 
more: both languages are then recognized not only by an URA but by a DRA. 

NRA do not have good algorithmic properties: while the emptiness problem is 
PSPAcE-complete [14], the universality problem (does a given automaton accept 
all data words?) is undecidable [15] (it is decidable only for 1-NRA [14]). Univer- 
sality becomes decidable for URA, as shown recently in [22] (2-EXPSPACE upper 
bound, improved to 2-EXPTIME upper bound in [8]), and language containment 
and equality for URA reduce polynomially to universality (see [8, Lemma 8]). As 
mentioned above, our results allow us to re-prove this decidability result. 

Register automata have been intensively investigated, with respect both to 
their foundational properties [15,25,17,23] and to their applications to XML 
databases and logics [14] (see [26] for a survey). There are several other ways to 
extend finite-state machines with a capability to recognize languages over infinite 
alphabets. These include, apart from register automata: their abstract version 
— nominal automata or automata over atoms [4,5,1]; symbolic automata [13]; 
pebble automata [21]; and data automata [3,6]. 


Acknowledgments. We thank Lorenzo Clemente for posing the collapse question 
studied in this paper, and Joanna Ochremiak and Radek Piórkowski for valuable 
discussions. 


2 Data languages and register automata 


The model of register automata, as considered in this paper, is parametrized 

by an underlying relational structure ATOMS over a finite vocabulary X. This 

structure constitutes a data domain; its elements are called atoms. A register au- 

tomaton processes sequences of atoms, possibly coupled with labels from a fixed 

finite set. It may store atoms read from the input in its registers, and compare 

them with previously stored atoms using relations in X (equality included). 
Here are some example data domains: 


— Equality atoms: natural numbers with equality (N, =). Since equality is the 
only available relation, any other countably infinite set could be used instead. 

— Dense order atoms: rational numbers with the standard order (Q, <). Again, 
any countably infinite dense order without endpoints could be used instead. 

— Nested equality atoms (universal equivalence relation): (N?, =1, =) where =) 
is the equality on the first coordinate: (n1, n2) =1 (m1, M2) if nı = mı. 


In the following we consider input alphabets of the form S x ATOMS, where 
S is a finite set of labels. A data word is a finite sequence w € (5 x ATOMS)*, 
and a data language is a set of data words. 

A nondeterministic register automaton (NRA) A consists of: 


— an input alphabet of the form S x ATOMS, for some finite set S, 
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— a positive integer r € N (the number of registers), 
— a finite set of control states (locations) Q, 

— subsets I, F C Q of initial resp. accepting states, 
— a finite set A of transition rules of the form 


(p, 5, @,8T, ge A, (1) 


where p,q E€ Q, s E€ S, p(a1,...,%,,x) is a quantifier-free X-formula with 
free variables in {a1,...,2,,a}, and ST € {1,...,r, NONE}. 


Intuitively, y defines a condition which needs to be satisfied by the register 
contents (%1,...,%,) and by the current atom (x) for a transition to happen, 
and ST specifies the register in which the input atom is stored after the transition, 
ST = NONE meaning that it is not to be stored in any register. 

An NRA A is deterministic (DRA) if it has exactly one initial state and if for 
every two transition rules 


(p, 8, 91,8T1, q1), (p, 8, p2, ST2, q2) = A, 


such that yı A yə is satisfiable in ATOMS, we have ST, = ST2 and qı = q2. We 
write r-NRA, resp. r-DRA, when the number of registers r is fixed. 

A configuration g(a) € Q x (ATOMS U {L})" of A consists of a control state 
q € Q and a content of registers a E€ (ATOMS U {L})", where L means that the 
content of a register is undefined (i.e., the register is empty). A rule (1) induces 


a transition p(a) = q(b) from a configuration p(a) to a configuration q(b) if: 


— ATOMS, (a,a) = ọ (by definition, this fails if y refers to any variable that 
has the undefined value L in a), and 

— bis obtained from a by placing a on coordinate ST if ST 4 NONE, and b = a 
otherwise. 


A run of A on a data word w = (s1,41)--++ (Sn, an) is a sequence 


qo (ao) = qı(aı) a peg =. Gn(an), 

where qo is an initial state and ag is a tuple where the content of all registers is 
undefined. We then say that the configuration qn(an) is reachable along w. The 
finite set of all configurations reachable along w is finite, and it is denoted A(w). 

A run is accepting if it ends in a configuration with an accepting state. A 
data word w is accepted by A if there is an accepting run of A on w. A NRA is 
unambiguous (URA) if every word has at most one accepting run. 

The language of A, denoted L(A), is the set of all data words accepted by A. 


3 Examples 


In all our examples, the finite component S of data alphabets will be a singleton 
set. We will therefore omit S when describing automata, so (1) will simplify to 


(p, 9, 8T,q) € A. 
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Graphically, a transition rule like this will be presented as 


qn 


p (4 
if ST =n, and if ST = NONE. 
Furthermore, — P) means that p is initial and means that q is accepting. 


Example 1. For the equality atoms, consider the language L C ATOMS“ of those 
words where the first letter appears at some later position: 


L = {a,...a,|n>1,a, = a; for some i > 1}. 
This language is recognized by a DRA with one register and three control states: 


T jl =a, O p 

TÉT 
This automaton stores the first letter in its only register and then remains in 
the (non-accepting) state q until the letter is encountered again; then it moves 
to the accepting state r and stays there. 


Example 2. Still for the equality atoms, consider the reverse of the language 
from Example 1, i.e., the language of those words where the last letter appears 
at some earlier position. This language is not recognized by any DRA, but it is 
recognized by a NRA with one register and three control states: 


T fi z=r1 igen 
T TÆTI 
zÉT1 


This automaton nondeterministically decides to store a letter in its register and 
then checks that the last letter is equal to the stored one. 


Example 3. Still for the equality atoms, consider the complement of the language 
from Example 2, i.e., the language L of those words where the last letter does 
not appear at any earlier position. (In particular, we consider the empty word 
and all length-one words to be in this language.) 

The language L is not recognized by any NRA. However, it becomes recogniz- 
able if automata are additionally equipped with the ability of guessing, that is, 
of updating the contents of their registers with arbitrary atoms, possibly differ- 
ent from the one that comes with the current input letter. Unlike NRA without 
guessing, those with guessing are closed under reversal [18, Def. 3 and Corollary 
31], and the reversal of the language L is even recognized by a DRA. 


Example 4. Automata from Ex. 1-3 work just as well over the dense order do- 
main: the formulas in their transition rules simply do not use the order relation. 
However, over densely ordered atoms something more happens: the language 
from Ex. 3 is recognizable by a NRA without guessing. 

The automaton has two registers. The idea is that, at any moment in an 
accepting run where these registers store atoms a, < dg: 
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(a) in the part of the word read so far, no letter is in the open interval (a1, a2), 
(b) the last letter of the word will belong to that open interval. 


Condition (a) can be ensured easily: upon reading a letter a that belongs to 
the open interval (a,,a2), the automaton will (enter an accepting state for the 
moment and) put a in one of the two registers. The register is chosen nondeter- 
ministically so that condition (b) remains true. If the currently input letter is not 
in the interval (a1, a2), the automaton enters a rejecting state for the moment, 
with the registers kept unchanged. 

Special treatment is needed to deal with situations where the last letter of 
the word will be larger than (or smaller than) all the letters encountered so far. 
These are taken care of by introducing special control states where one of the 
two registers remains undefined. 


Example 5. Fix k > 2. Over equality atoms, consider the language Lẹ of all 
words w of length at least k whose kth last letter is equal to the last letter. Then 
Lp is recognised by a NRA with one register and k + 1 states, depicted below: 


41 T T L=21 


Or © ED © 


T 


The complement of Lẹ is also recognised by an NRA, similar to the one above, 
but with x Æ xı in place of x = xı in the last transition, and with an additional 
component for accepting words of length smaller than k. The language Lk is also 
recognised by a DRA with k registers, where register number 7 stores the letter 
which appeared on the latest seen position with index congruent to i, mod k. It 
has k states, for counting the index of the current position, mod k. 


4 Main results 


Our primary contribution is: 


Theorem 1. Over equality atoms, if a data language and its complement are 
both recognizable by nondeterministic register automata, then they are both rec- 
ognizable by deterministic register automata. 


Note that this result fails if automata with guessing are considered (see Ex. 3). 
Indeed, the language from Ex. 2 is recognized by a 1-NRA, and its complement in 
Ex. 3 is recognized by a 1-NRA with guessing, but they are not deterministically 
recognizable. 

Moreover, the result fails (even without guessing) for densely ordered atoms. 
The counterexample is the same: the language from Ex. 2 is recognized by a 1- 
NRA, and its complement is recognized by a 2-NRA over densely ordered atoms 
as explained in Ex. 4, but they are not deterministically recognizable. Here the 
use of two registers in NRA is necessary, due to our secondary contribution: for 
a wide range of data domains, if a data language and its complement are both 
recognized by 1-NRA, then they are recognized by DRA. 
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We prove this for any data domain ATOMS which admits w@o in the following 
sense. A well quasi-order (WQO) is a quasi-order (Z,<) such that for every 
infinite sequence z1,22,... E Z there are 1 <7 < j with z; < zj. For a finite 
set X, an X-labeled substructure of ATOMS is a set B C ATOMS together with 
a labelling £g: B —> X. For two X-labeled substructures B and C of ATOMS, 
we say that B embeds into © (written B < C) if some automorphism 7 of 
ATOMS, restricted to B, yields a label-preserving injection from B to C, so that 
lg = le om |g. Let AGEx(ATOMS) be the set of all finite labeled substructures 
of ATOMS, partially ordered by <. We say that ATOMS admits WQO if for every 
finite set X, the quasi-order (AGEx(ATOMS), <) is a wQo. All data domains 
listed in Section 2 admit WQo [19]. They are also oligomorphic (see Sec. 5 below). 


Theorem 2. Over any oligomorphic atoms that admit WQo, if a data language 
and its complement are both recognizable by nondeterministic register automataa 
with one register, then they are recognizable by deterministic register automata. 
The rest of the paper consists of the proofs of Thms. 1 and 2, in Sec. 6 and 8, 
respectively, preceded by Sec. 5 that recalls basic definitions of the setting of sets 
with atoms which are used in the proofs. Our main technical lemma is proved in 
Sec. 6. Besides proving Thm. 1, in Sec. 7 we explain how it implies decidability 
of universality for unambiguous register automata. 


5 Orbit-finite automata 


Our proofs rely on some basic notions and results of the theory of sets with 
atoms [1], also known as nominal sets [24]. In this section we recall what is 
necessary to follow our arguments; this is part of a uniform abstract approach 
to register automata developed in [4,5,1]. 

Let Aut( ATOMS) denote the group of all automorphisms of a relational struc- 
ture ATOMS. (For the equality atoms (N,=) this means the group of all bijec- 
tions; for the densely ordered atoms (Q, <), the group of monotone bijections.) 
We consider sets equipped with an action of this group, typically, ATOMS” for 
some n > 0 or ATOMS” with the componentwise action. 


Group actions. A (left) action of a group G on a set X is a mapping _- _: 
Gx X > X such that l-« = z and onr- = o- (n - x) for all o,r € G and z € X. 
We then say that G acts on X, or that X is a G-set. For x € X, we call the 
set {r -x |m € G} the orbit of x; or an orbit in X. The orbits in X partition X 
into disjoint sets. We call X orbit-finite if it has finitely many orbits. 

Group actions canonically extend along familiar set-theoretic constructions: 
if X and Y are G-sets then the cartesian product X x Y, the disjoint union XWY, 
the set of sequences X*, the powerset P(X) etc. are all G-sets, in the expected 
way. For example, G acts componentwise on X x Y via m- (x,y) =(m-a,7-y). 


Oligomorphicity. A structure ATOMS is oligomorphic if for every n € N, the 
componentwise action of Aut( ATOMS) on ATOMS” induces finitely many orbits. 
All structures considered in this paper are oligomorphic; an example of a non- 
oligomorphic structure is the total order of integers. 
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Supports. Let Aut( ATOMS) act on a set X and let x € X. A support of z is any set 
S C ATOMS such that the following implication holds for all 7 € Aut( ATOMS): 


if t(s) = s for alls € S then T- £ =a. 


An element x € X is finitely supported if it has some finite support. 

For many structures ATOMS, finite supports of a fixed element are always 
closed under intersections. Then every finitely supported x has the least support, 
denoted sup(a). This happens in particular for the equality atoms (as proved 
in [24, Prop. 2.3] or in [5, Cor. 9.4]) and for the dense order atoms (as proved 
in [5, Prop. 9.5]). It is easy to prove that taking least supports commutes with 
group actions: 7 - sup(%) = sup(m- x) for every x € X and m € Aut( ATOMS). 


Equivariance. An element (or a subset, relation, function...) of an Aut(ATOMS)- 
set is called equivariant if it is supported by the empty set; equivalently, it is 
fixed by every automorphism of ATOMS. For example: 


— a subset Z of an Aut(ATOMs)-set X is equivariant if and only if it is a union 
of orbits in X (indeed, it is then equivariant as an element of P(X)); 

— a relation R C X x Y is equivariant if and only if Ry © (m - x)R(a- y) 
for all x € X, y € Y and 7 € Aut(AToms). An equivariant function is a 
function whose graph is an equivariant relation. 


Standard set-theoretic relations such as set membership, or set containment, are 
equivariant. Indeed, z € Z + (m - x) € (m - Z), etc. 

If ~ is an equivariant equivalence relation on X then Aut( ATOMS) acts on 
the set X/., by m- C = {r -x |x € C} for each ~-equivalence class C C X. 


Register automata. Fix a structure ATOMS and let R be an NRA with in- 
put alphabet S x ATOMS, control states Q, and with r registers. The group 
Aut( ATOMS) acts on all the components of R: 


— on the input alphabet A := S x ATOMS, via 7 - (s,a) = (s, 7r (a)); 
— on the set C := Q x (ATOMS & {L})” of all configurations of R, via 


T- q(a1,...,@r) = G(7(a1),...,7(ar)) (where 7(L) = L); 


— the set of initial configurations and the set of accepting configurations are 


both equivariant subsets of C; 


— the set of transitions of R is an equivariant relation: if p(a) me q(a’) isa 


transition of R, then so is 7 - p(a) UARN ies qla’). 
Furthermore, each of these components is orbit-finite, and each of its elements 
has a finite support. Using the terminology of [5], this means that register au- 
tomata are a special case of orbit-finite automata. 

By equivariance of all the components above, the language L(R) of a register 
automaton is an equivariant subset of A* = (5 x ATOMS)*, considered with the 
componentwise action of Aut( ATOMS) on A*, i.e. 


T- ((s1,01), -< -, (Sn; @n)) = ((S1; T < G1),---, (Sn, T ` an)). 
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Myhill-Nerode theorem. In order to prove that a language is deterministically 
recognizable, we use the following Myhill-Nerode characterization. 

For an alphabet A = S x ATOMS and data language L C A*, consider its 
Myhill-Nerode equivalence ~z C A* x A*, defined by 


u~n U if and only if uw E LvweL forall we A*. 


Theorem 3. /5, Thm. 3.8 and Thm. 6.4] Let ATOMS be oligomorphic and 
L C (S x ATOMS)* be an equivariant language. Then L is deterministically 
recognizable if and only if (S x ATOMS)*/~, is orbit-finite. 


Among other things, this theorem immediately implies that the language from 
Ex. 2 is not deterministically recognizable, neither for the equality atoms nor 
for the total order atoms. Indeed, two words are Myhill-Nerode equivalent with 
respect to that language if and only if they contain the same set of letters. There- 
fore, the language cannot be deterministically recognizable, since automorphisms 
of ATOMS preserve the number of distinct letters in a word. 


6 Proof of Theorem 1 


In the proof, we will make use of an abstract notion of a split of a family of sets. 
For any family F of subsets of a set X, a split of F is a pair (U,V) of sets 
which partition X: X = U W V, such that both U and V are finite unions of 
elements of F. Obviously, for any splits to exist, X = [J F must hold. 
In the following lemma, ATOMS is the equality atoms. 


Lemma 1. For any Aut(ATOMS)-set X with finitely supported elements, and 
any equivariant, orbit-finite family F of finitely supported subsets of X, the set 
G of splits of F is orbit-finite. Moreover, a bound on the number of orbits of 9 
and the maximal size of the support of an element in G are computable from the 
analogous bounds for F. 


As should be clear after reading Sec. 5, the set of splits of F is considered with 
the natural action of Aut(AToms): m - (U,V) = (m - U, - V), where m- W = 
{at-c|ceW}forWCX. 


We will prove Lem. 1 in Sec. 6.2. For now, let us show how the lemma implies 
Thm. 1. 

Let A and B be two NRA over an alphabet A = S x ATOMS such that L(A) 
and L(B) partition A*. We will show that the Myhill-Nerode equivalence of 
L = L(A) has orbit-finitely many classes. Together with Thm. 3, this will prove 
that L is deterministically recognizable. 

Let C be the set of configurations of AW B (the disjoint union of A and B.) 
Hence, C consists of tuples of the form g(a) where q is either a state of A or 
a state of B (but not both), and a is a tuple of elements of ATOMS W {L} of 
appropriate length. For c € C denote 


L. := {w E€ A* | AWB accepts w from configuration c}, 
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and let F = {Le | c € C}. Since C is equivariant and orbit-finite, so is F. More- 
over, if c = g(a) then Le is finitely supported by the atoms in a. Clearly, every 
word (81,@1)-+:+(Sn,;@n) E A* is supported by {a1,..., an}. This means that F 
and X = A* satisfy the assumptions of Lem. 1, therefore F has only orbit-finitely 
many splits. 

Every word v € A* induces a partition of A* into two disjoint sets: 


U, = {w € A* | vw € L} and V, = {w € A* | vw ¢ L}. 
Moreover, the sets U, and V, are finite unions of sets from F, namely 


U, = U Le and V,= U Le 


cEA(v) cEB(v) 


These unions are finite because automata A and B allow no guessing and so 
A(v) and B(v), the sets of configurations reachable in A resp. B by reading the 
word v, are finite. Therefore, (Us, Vy) is a split of F, for any word v. 

By definition, u ~z v if and only if U, = U,. Consider any two words 
v, w E€ A* such that the splits (U,,V,) and (Uw, Vw) are in the same orbit, i.e., 
Uw =7-U, (and therefore also Vy = 7 - Vy) for some automorphism r. Since L 
is an equivariant language, we have m: Uy = Ur.v and so w ~z m- v. Theorem 1 
now follows from Thm. 3. 


6.1 Examples 


Before proving Lem. 1, we give some examples of families of splits, which may 
be helpful in developing some intuitions. 

The first example shows that the number of orbits of splits may grow as fast 
as double-exponentially, relative to the least supports of elements of F. 


Example 6. For the equality atoms, fix k > 1 and let X be the set of all k-tuples 
of pairwise distinct atoms. For each S C ATOMS with |S| = k, let S™® = SEA X 
and let Ms = X \ 9%). Note that S$“) is finite, with k! elements. 

The family F C P(X) of all singletons in X and all sets Ms as above is 
equivariant and has two orbits. Each set in F has a support of size k. 

For any K C 9%), consider the partition of X into K and X \ K. Then 
(K, X \ K) is a split of F, as K = U,ex {v} and X \ K = Ms UUsesœwyg {W} 

Moreover, every split (U,V) of F is of the form (K, X \ K) or (X \ K, K) 
for some S and K as above. Indeed, suppose U = |J U and V = [JV for some 
finite U, V C F. As UUV = X is infinite, UU V must contain Ms for some set 
S of k atoms. Suppose without loss of generality that Ms € U. By disjointness 
of U and V, the set V C F may only contain singletons {v}, for v € 9). Then 
(U,V) = (X \ K, K), where K = UV. 

For K, K’ CS), the splits defined by K and K’ are in the same orbit only 
if there is an automorphism 7 that fixes S as a set, such that 7- K = Kk’. Since 

2 


there are only k! bijections on 5’, the set of splits of F has at least a orbits. 
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The next example shows the difference between splits and the finite subfam- 
ilies of F that define those splits: the set of those families may be orbit-infinite. 


Example 7. Let X be the set of all finite sets of equality atoms. For any distinct 
atoms a,b, define Ea b, Da,» C X by: 


Bap ={FeEX lac kobe F} Day =X \ Eao 


And let F contain all sets Ea» and Da». This F has two orbits. 

Obviously, (U, V) = (X, Ø) is a split of F; it is enough to take U = {Da b, Ean} 
and V = @ for any fixed a,b. However, there are many more minimal families 
U and V that achieve the same effect. Indeed, for any number n, and for any 
pairwise distinct atoms a1,...,@n, consider: 


U4 Daran Daras ees Dera, eins Banaat v=0 


It is easy to check that [JU = X. All such families are minimal (in fact, removing 
any element from U would prevent it from being the part of any split of F), and 
for each n these families form a separate orbit. 


The following example shows that the statement of Lem. 1 fails if the atoms 
are (Q, <). It is obtained from Ex. 4 via the translation given in the proof of 
Thm. 1, and a simplification replacing each word by its last letter. 


Example 8. The atoms are (Q, <). Let X = Q and let F C P(X) consist of: 


— singletons {q} C X, for q € Q; 
— open intervals (p,q) C X, for p < q in QU {—00, +00}. 


Then F has five orbits (here +00 are fixed under the action of Aut(AToMs)). 
For any finite set K C X, consider the partition of X into K and X \ K. Then 
K= User {q} whereas X \ K is the union of all intervals (p,q), where p < q 
are consecutive elements in K U {—oo, +00}. Hence, (K, X \ K) is a split of F. 
In particular, the set of all splits of F has infinitely many orbits, because the set 
of finite subsets of X has infinitely many orbits. 


6.2 Proof of Lemma 1 


We prove by induction a stronger statement, where the atoms are assumed to 
be an expansion of (N,=) by finitely many constants. In other words, in this 
section we will assume that ATOMS is a structure over a vocabulary that consists 
of (equality and) a finite number of constant symbols; the universe of ATOMS is 
N, with the constants interpreted as some pairwise distinct numbers. The group 
Aut( ATOMS) then consists of all bijections of ATOMS which fix every constant. 

If ATOMS is such a structure and T is a finite set of atoms all different 
from the constants, then by ATOMS? we denote the structure, over an extended 
vocabulary, that arises from ATOMS by interpreting all the atoms in T as ad- 
ditional constants. Obviously, Aut(ATOMS,r) is a subgroup of Aut( ATOMS), so 
every action of Aut( ATOMS) on a set X restricts to an action of Aut(ATOMS7). 
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This restriction preserves and reflects the existence of finite supports: an element 
x € X is supported by some S in the action of Aut( ATOMS) if and only if it is 
supported by S \ T in the restricted action of Aut(ATOMSr). In particular, if 
ATOMS is an expansion of (N, =) by finitely many constants, then every finitely 
supported element x has a least support sup(a). Note that sup() never contains 
any constants, since those can always be safely removed from any support. 

For a subset U of an orbit-finite equivariant set F, its dimension dim(U) is 
the maximum size of the least support of an element of U. This makes sense 
even if U is infinite, because J is orbit-finite and sets from the same orbit have 
least supports of the same size. In particular, dim(F) is well defined. 

The following lemma says that adding constants to atoms preserves orbit- 
finiteness. It is a standard result in the theory of sets with atoms, see e.g. [1, 
Lem. 3.19] or [24, Lem. 5.22], indeed it is a fundamental property of oligomorphic 
structures, but we re-prove it here to extract explicit bounds: 


Lemma 2. Fiz a finite set T C ATOMS. For any orbit-finite Aut(ATOMS)-set F 
with l orbits, the corresponding action of Aut(ATOMS,) on F is also orbit-finite, 
with at most l- (|T| +1)%™@) orbits. 


Proof. Assume first that F has only one orbit in the Aut(ATOMS)-action, i.e., 
that l = 1. Let d = dim(). Let Y denote the set of d-tuples of pairwise distinct 
atoms different from the constants in ATOMS. This is a single-orbit set under the 
componentwise action of Aut( ATOMS). Pick any zo € F. Let yo = (a1,...,@a) € 
Y be an enumeration of sup(xo). There is a unique equivariant surjection f: Y > 
X such that f(a + yo) = 7-2 for all r € Aut(AToms). (The function f is total 
since Y has one orbit; it is well defined because yo enumerates a support of 
zo, and it is surjective since X has one orbit.) Two tuples in Y are in the 
same orbit in the action of Aut(ATOMSr) if and only if they contain the same 
arrangement of atoms from T at the same positions. There are at most (|T]+1)@ 
such arrangements, (in fact fewer than this if d > 1, because tuples in Y are 
pairwise distinct), so Y has at most (|T| + 1)? such orbits. X is an image of the 
equivariant function f: Y — X, so the same bound applies to X. For a set F 
with l orbits, each of dimension at most d, the bound simply multiplies by l. 


From now on consider ATOMS as described above, and let X and F be as in 
the statement of Lem. 1. The following key lemma says that every split of F has 
a support of a bounded size. 


Lemma 3. Let UW V be a split of F and let U,V be finite subfamilies of F 
such that JU=U andUV=V. Then U and V each have a support of size at 
most N, for some bound N computable only from dim(U), dim(V), dim(F) and 
the number of orbits in F. 


The crux of this lemma is that the number N does not depend on the split 
U wV. It only depends on the number of orbits in F, its dimension dim(F), and 
on dim(U) and dim(V) (which, anyway, are bounded from above by dim(¥)). 
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Proof (of Lem. 3). We proceed by induction on k = dim(U)+dim(V). Fix k > 0 
and assume that the statement of the lemma holds for all smaller values of k. 
Without loss of generality, we may assume that Ø does not belong to U nor V 
(as it can be safely removed from each of them). 


For a finitely supported set F C X define 
F? := {n-y| a € Aut(AToms),y € F,sup(y) Nsup(F) = 0}. 


Intuitively, F* arises by taking all elements of F that are “fresh for F”, i.e., ones 
whose supports share no atoms with the support of F, and then by applying ar- 
bitrary atom automorphisms to those elements. Note that that F* is equivariant 
and FË = (r - F)Ë for any automorphism 7. 


Claim 1 X = Ureyuy F*. 


Proof. Take any x € X. Let S = Upeyyy sup(F). Since U and V are finite, S is 
a finite set. Pick an automorphism 7 such that its inverse 7~! maps sup(zx) to 
a set disjoint with S. Consider the element y = m7! -x € X. Since UUV = X, 
there must be some F € UU V such that y € F. Then x € F*. 


Let us first prove the lemma for the special case where X = FË for some 
F € UUV. Suppose that X = F* for some F € U (the case F € V is symmetric). 


Claim 2 Every y € X with sup(y) N sup(F) = Ø belongs to F. 


Proof. Take any y as above. As X = FË, there is some a and x € F such that 
y =T- x and sup(xz) N sup(F) = Ø. Pick an automorphism @ such that: 


— 0 agrees with 7 on sup(x), mapping it bijectively to sup(y), 
— 0 fixes sup(F’) pointwise. 


Such a @ exists since sup(x) and sup(y) are both disjoint from F. Then 0- x = 
m-x = y by the first property above, and 0-2 € 9: F = F by the second property. 
Altogether, y € F. 


Claim 3 For every G € V, sup(F) Nsup(G) # 0. 


Proof. We show that if sup(G) is disjoint from sup(F) then G must be empty, 
contradicting our previous assumption. 

Suppose x € G. Pick an automorphism m which fixes sup(G) pointwise and 
maps sup(x) to a set disjoint with sup(F). Such a 7 exists because sup(G) and 
sup(F’) are disjoint. Letting y := 7 : x, we have y € F by Claim 2, and moreover 
y=r:xETr:G = G. Then y E€ FAG C UNV = f, a contradiction. This proves 
G = 0, which in turn contradicts the assumption that 0 ¢ V. 


Denote T = sup(F). If T = @ then by Claim 3, V has dimension 0 and 
therefore V is supported by the empty set. So we may assume that T 4 Ø. For 
the same reason we may assume that the family V is not empty. 
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Let ATOMS? be obtained from ATOMS by including the elements of T as 
new constants. Hence, ATOMSr extends ATOMS by at most r constants, where 
r := dim(F). 

Let l be the number of orbits in F. By Lem. 2, the family F, treated as a 
family of sets over the atoms ATOMS7, is still orbit-finite, with the number of 
orbits 1’ depending only on l and r. Clearly, U W V remains a split of F. Note 
that if F € F is supported by some set S' over ATOMS, then F is supported by S, 
indeed even by S'\ T, over ATOMS. In particular, the dimension of F does not 
increase by moving from ATOMS to ATOMS,r. More interestingly, by Claim 3, 
the least supports of all the elements in V actually decrease when considering 
ATOMS? as atoms. Since V is not empty, the dimension of V strictly decreases 
and it follows that dim(U) + dim(V) < k over ATOMSr. Applying the inductive 
assumption yields a set T” of size N’, depending on k — 1 and l’, such that 
T’ supports V over ATOMS. By construction, V is supported by T U T’ over 
ATOMS. Note that 

TUT| < N” i= N +r. 


This concludes the proof in the special case when X = F* for some F € UUV. 
In the general case, for each F € UU V define: 


5p ={G0F!|Ges} 


Ur := {GNF |Geu} Vr :={GnF'|GeV} 
Ur :=UN F’ =| Jip Ve := V Nn F =|] Vr. 


Then U Fp = FË and (Ur, Vr) is a split of Fp which falls into the special 
case considered above. Hence, Up has some support Sp of size at most N”. 

Then U is supported by S' := Ureuuv Spr. Note that Sp only depends on the 
orbit of F, as FË = (x - F)? for any automorphism ~. As there are l such orbits 
contained in F, it follows that S has size at most N := N”l. This concludes the 
inductive step, and the proof of Lem. 3. 


Using Lem. 3, we now proceed to prove Lem. 1. 


Proof (of Lemma 1). Consider an equivariant set X and an equivariant, orbit 
finite family F of finitely supported subsets of X. Let ((Ui, Vi))ier be a family 
of splits of F. By Lem. 3, each one of these splits is supported by some set of a 
bounded size. Applying suitable automorphisms to each of these splits, we can 
obtain a family of splits ((U/, V/))ier such that, for all i € I: 


— U} and U; are in the same orbit, and 
— each U! is supported by the same set S. 


It is now enough to show that there are only finitely many subsets U C X 
supported by a fixed set S, which are unions of elements of F. 

By Lem. 2 it follows that F has finitely many orbits under the action of 
the group Aut(ATOMS,g) of all automorphisms which fix S pointwise. (Here, as 
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in the statement of Lem. 1, ATOMS are the pure equality atoms without any 

constants.) If a set U C X supported by S contains some F € F as a subset, 

then it contains 7 - F for every m E€ Aut(ATOMSsg). In other words, U contains 

(the union of) the entire orbit in F under the action of Aut(ATOMSs). Since we 

assume that U is a union of elements of J, it is a union of (the unions of) orbits 

in F, and there are only finitely many of these. 
This completes the proof of Lem. 1. 


7 Application to Unambiguous Register Automata 


Lemma 1 is interesting in its own right and its applications are not limited to 
the ones mentioned in Sec. 4. We shall now show how it can be used to decide 
universality (and hence also language containment and equality, cf. [8, Lem. 8]) 
of URA over the pure equality atoms ATOMS. 


Theorem 4. /22, Thm. 14] The language containment and equality problems 
are decidable for unambiguous register automata. 


As an application of Lem. 1, we give an alternative decidability proof for the 
universality problem of URA. First, we prove a consequence of Lem. 1. 


Lemma 4. Let X be an equivariant set over equality atoms, and let F be an 
equivariant, orbit-finite family of finitely supported subsets of X. There is a 
bound M, computable from dim(F) and the number of orbits in F, such that 
every PC F which is a partition of X has size at most M. 


Proof. Let 9 = {U | (U,V) is a split of F}. By Lem. 1, G is orbit-finite. More- 
over, its elements are finitely supported. Let P C F be a partition of X into 
nonempty subsets. For each U C Ẹ, the union (JU belongs to 9; in particular, 
we have 2!*! elements of 9, each containing different sets in P. The proof is 
completed by the following counting argument. t 

Let S = U pep sup(F). An S-orbit in G is an orbit in 9 with respect to the 
action of those atom permutations which fix S pointwise. Equivalently, it is an 
orbit in 9 viewed as a Aut(ATOMSs)-set. By Lem. 2, for any finite S C ATOMS, 
the number of S-orbits in 9 is bounded by l- (|$| + 1)*, where k and l are 
computable from dim(F) and the number of orbits of F. 

Two splits G,G’ € 9 in the same S-orbit contain the same elements of P: if 
G’ = m - G then by equivariance of F and S, for each F € P we have F C G if 
and only if 7-F Ca-G, but t- F = F when 7 fixes S pointwise. Hence, for any 
two distinct U, U’ C P, their unions [JU and [J U’ belong to different S-orbits 
in 9, so there are least 2'”! such orbits. As |S| < dim(F) - |P|, we get: 


al?l <1. (|S]+1)* < l- (dim(F) - |P|+1)*. 


It follows that |P| is bounded by some M computable from k,l, and dim(). 


1 It exhibits the well-known fact that equality atoms have the NIP property studied 
in model theory. 
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Lemma 4 has the following corollary, which is a strong restriction on the 
structure of universal URA and easily yields Thm. 4. 

Call a configuration c of a NRA A nonempty if the NRA accepts some word 
from this configuration, i.e., the following language is nonempty: 


L. := {w E€ A* | A accepts w from c} 


Since NRA emptiness is decidable, it is not difficult to modify any given NRA to 
one with only nonempty configurations. This transformation preserves URA, so 
we may safely assume that we only consider URA with this property. 


Corollary 1. Let A be a URA with nonempty configurations and which accepts 
every input word. Then there is a computable bound M such that A may reach 
at most M different configurations when reading any given input word. 


Proof. Let A be an URA over an input alphabet A = S x ATOMS. Let C be the 
set of configurations of A and let F := {Le |c € C}. Note that dim(F) is not 
larger than the number of registers r of A, and the number of orbits in F is not 
larger than the number of orbits of configurations in A, which in turn is equal to 
the number of control states in A times the number of orbits in (ATOMS {_L})" 
(equal to the r + 1-st Bell number). 

For each w € A*, the set A(w) C C of configurations reachable when reading 
w is finite, since A has no guessing. Unambiguity of A implies that the family 


Py := {L.| cE A(w)} CF 


consists of pairwise disjoint sets. If additionally L(A) = A*, then P,, forms 
a partition of A*, so |Pw| < M where M is the bound from Lemma 4. As 
|A(w)| < |Pw], this yields the corollary. 


Decidability of universality of URA now follows using standard ideas. 


Proof (of Thm. 4, sketch). We use the notation of the proof of Cor. 1. The idea 
is to construct the truncated powerset automaton whose states are sets of at 
most M states of A. 

Let C” denote the family of subsets of C of size at most M; then C” is orbit- 
finite. We define a deterministic automaton A’ with an infinite, but orbit-finite 
state space C”. Its transitions are X —> Y, for X,Y € C’ such that 


Y={yeC|eyinA,ze x}. 


The initial state of A’ is the set Co C C of initial configurations of A (unless 
|Co| > M, but then L(A) 4 A* by the corollary). Accepting states are all states 
X € C’ which contain an accepting configuration of A. All the ingredients of A’ 
are equivariant, orbit-finite sets, so A’ is an orbit-finite deterministic automaton, 
and can be effectively constructed given A and M. Its language L(A’) is defined 
as usual. By construction, 


— L(A’) C L(A) C A*; 
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— if L(A) = A* then L(A’) = A*, by Cor. 1. 


Hence, A’ is universal if and only if A is universal. Since A’ is orbit-finite, 
universality of A’ can be effectively decided, using standard techniques for orbit- 
finite automata [1,5]: by first complementing and then testing emptiness. 


8 Proof of Theorem 2 


Towards proving Thm. 2, assume A and B are two complementing 1-NRA over 
an alphabet A = S x ATOMS and that ATOMS admit waQo. 

Recall that configurations of a 1-NRA are either of the form q(a) where q is 
a control state and a € ATOMS is the register value, or of the form q(L) when 
the register value is still undefined. We assume, without losing generality, that 
both register automata A and B immediately update their register, i.e., every 
transition rule outgoing from an initial state updates the register. 

Let Q and Q’ denote sets of control states of A and B, respectively, and 
assume without losing generality that Q and Q’ are disjoint. 

For every nonempty data word w € At, the set A(w) U B(w) of configura- 
tions of A and B reachable along w is finite, since NRA have no guessing, and 
contains no undefined configurations of the form q(L) due to the immediate up- 
date assumption. For every w € A* define a finite induced substructure C, of 
ATOMS, labeled with the finite set P = P(Q U Q’), as follows. The elements of 
Cy are the atoms that appear in configurations in A(w) U B(w): 


Cy = {a E€ ATOMS | (q,a) E A(w) U B(w) for some state q.} 


The labeling lw: Cu > P of Cuy maps a € C, to the set of all control states 
which appear in A(w) U B(w) together with a: 


lw(a) = {4 E€ Q | (q,a) E€ A(w)} U {q E€ Q' | (q,a) € B(w)}. 
Let L = L(A). For each v € A* define the partition of A* into: 
U, = {w € A* | vw € L} and V, = {w € A* | vw ¢ L}. 
Recall that u ~z v if and only if U„ = Uy. 
Claim. Let u,v € At. If C, < C, then 7- u ~z v for some automorphism 7. 


Proof. By definition of <, there is some m € Aut(ATOMS) which maps C, to a 
substructure of @,, so that 7-@, C C, and 


l(a) =,(n(a)) ‘for a Cy. (2) 


Let u’ = m - u. By equivariance of register automata, if A reaches a config- 
uration (q,a) when reading u, then it reaches the configuration (q,7(a)) when 
reading u’ = 7-u. Hence, Cu C C, and ¢,,(a) = €,(7(a)) for a € Cu. Together 
with (2) we get Lw (a) = 4 (a) for all a € Cw. 
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We show that this implies U„ = U,, which will yield the claim as u’ = 7 - u. 
Towards proving Uw C U, take any w € Uw; then u’w € L. Pick an accepting 
run of A on ww. Let q(a) be the configuration of A in this run reached after 
reading the (nonempty) prefix u’. In particular, A accepts w starting from the 
configuration g(a). Moreover, a € Cy and q € €,(a). As Cu C Cy and fw (a) = 
é,(a), it follows that A may reach the configuration q(a) after reading v. As w is 
accepted by A from this configuration, it follows that A accepts vw, so w € Uy. 

The inclusion Vy C V, is proved by a similar argument, using B instead of 
A, since L(B) = A* \ L(A) = A* \ L. As Uy = A* \ Vw and V, = A* \ U», the 
inclusion Vy C V, implies Uw D Uy. Altogether, Uw = Uy, so u’ ~z v, yielding 
the claim. 


Theorem 2 now follows easily: assume towards a contradiction that A*/W., 
is not orbit-finite. Then there is an infinite set X C At such that m(u) %z v for 
all distinct u,v € X and m € Aut(AToms). As ATOMS admits wQo, there are 
distinct u,v € X such that Ca < €.. The claim above yields a contradiction. 


9 Final remarks 


We have studied a deterministic collapse for NRA: if a language and its comple- 
ment are both recognized by NRA then they are also recognized by DRA. We 
have proved this for register automata over equality atoms; and for automata 
with one register only, over any atoms that admit WQo. We have also applied 
our key technical observation, namely orbit-finiteness of the set of splits of an 
orbit-finite family of sets, in order to re-prove decidability of universality of URA. 

The assumed form A = S x ATOMS of the input alphabets is not important; 
the results apply to arbitrary orbit-finite input alphabets A. 

The proof of our main result (also of decidability of universality of URA) is 
effective, with elementary bounds. In particular, given two NRA with comple- 
menting languages the equivalent DRA from Thm. 1 has an exponential num- 
ber of registers and a doubly-exponential number of orbits of states. The same 
bounds apply to a DRA constructed in our proof of Thm. 4. Moreover, assum- 
ing ATOMS satisfy standard effectiveness assumptions, like decidability of their 
first-order theory, one can also compute an equivalent DRA from Thm. 2. 

Concerning possible generalisations of our results, we believe that Thm. 1 
holds not only for equality atoms, but for arbitrary oligomorphic w-stable atoms. 
These include e.g. the nested equality atoms mentioned in Sec. 2. On the other 
hand Thm. 1 does not extend to disjoint but non-complementing NRA languages: 
it is not true that for every two disjoint NRA languages there is a DRA language 
that separates them, i.e., includes one of them and is disjoint from the other. 
The corresponding decision problem (given two disjoint NRA, does a separating 
DRA exist?) is decidable when the number of registers of a separating automaton 
is fixed [9], and open in general. 

An intriguing open question (not unlike the WQo Dichotomy Conjecture [19]) 
is whether it is necessary for ATOMS to admit w@o for Thm. 2 to hold. 
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Abstract Different classes of automata on infinite words have different 
expressive power. Deciding whether a given language L C X“ can be 
expressed by an automaton of a desired class can be reduced to deciding 
a game between Prover and Refuter: in each turn of the game, Refuter 
provides a letter in X, and Prover responds with an annotation of the 
current state of the run (for example, in the case of Biichi automata, 
whether the state is accepting or rejecting, and in the case of parity 
automata, what the color of the state is). Prover wins if the sequence 
of annotations she generates is correct: it is an accepting run iff the 
word generated by Refuter is in L. We show how a winning strategy 
for Refuter can serve as a simple and easy-to-understand certificate to 
inexpressibility, and how it induces additional forms of certificates. Our 
framework handles all classes of deterministic automata, including ones 
with structural restrictions like weak automata. In addition, it can be 
used for refuting separation of two languages by an automaton of the 
desired class, and for finding automata that approximate L and belong 
to the desired class. 


Keywords: Automata on infinite words - Expressive power - Games. 


1 Introduction 


Finite automata on infinite objects were first introduced in the 60’s, and were 
the key to the solution of several fundamental decision problems in mathemat- 
ics and logic [8,33,41]. Today, automata on infinite objects are used for speci- 
fication, verification, and synthesis of nonterminating systems. The automata- 
theoretic approach reduces questions about systems and their specifications to 
questions about automata [28,49], and is at the heart of many algorithms and 
tools. Industrial-strength property-specification languages such as the IEEE 1850 
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Standard for Property Specification Language (PSL) [14] include regular expres- 
sions and/or automata, making specification and verification tools that are based 
on automata even more essential and popular. 


Arun r of an automaton on infinite words is an infinite sequence of states, and 
acceptance is determined with respect to the set of states that r visits infinitely 
often. For example, in Büchi automata, some of the states are designated as 
accepting states, denoted by a, and a run is accepting iff it visits states from 
the accepting set aœ infinitely often [8]. Dually, in co-Btichi automata, a run is 
accepting if it visits the set a only finitely often. Then, in parity automata, the 
acceptance condition maps each state to a color in some set C = {j,...,k}, for 
j € {0,1} and some index k > 0, and a run is accepting if the maximal color it 
visits infinitely often is odd. 


The different classes of automata have different expressive power. For ex- 
ample, while deterministic parity automata can recognize all w-regular lan- 
guages, deterministic Büchi automata cannot [29]. We use DBW, DCW, and 
DPW to denote a deterministic Biichi, co-Btichi, and parity word automaton, 
respectively, or (this would be clear from the context) the set of languages 
recognizable by the automata in the corresponding class. There has been ex- 
tensive research on expressiveness of automata on infinite words [48,20]. In 
particular, researchers have studied two natural expressiveness hierarchies in- 
duced by different classes of deterministic automata. The first hierarchy is the 
Mostowski Hierarchy, induced by the index of parity automata [35,50]. For- 
mally, let DPW[0, k] denote a DPW with C = {0,...,k}, and similarly for 
DPW(1,&] and C = {1,...,k}. Clearly, DPW[0, k] C DPW/(0,& + 1], and simi- 
larly DPW[1, k] C DPW[1,k +1]. The hierarchy is infinite and strict. Moreover, 
DPW(0, k] complements DPW[1, k + 1], and for every k > 0, there are languages 
Lp and Li, such that L € DPW[0, k] \ DPW[1, k + 1] and Li, € DPW{1,& + 
1] \ DPW[0, k]. At the bottom of this hierarchy, we have DBW and DCW. 
Indeed, DBW=DPW][0, 1] and DCW=DPW(1, 2]. 

While the Mostowski Hierarchy refines DP Ws, the second hierarchy, which we 
term the depth hierarchy, refines deterministic weak automata (DWWs). Weak 
automata can be viewed as a special case of Büchi or co-Btichi automata in which 
every strongly connected component in the graph induced by the structure of the 
automaton is either contained in a or is disjoint from a, where a is depending on 
the acceptance condition the set of accepting or rejecting states. The structure of 
weak automata captures the alternation between greatest and least fixed points 
in many temporal logics, and they were introduced in this context in [36]. DWWs 
have been used to represent vectors of real numbers [6], and they have many 
appealing theoretical and practical properties [32,21]. In terms of expressive 
power, DWW = DCW N DBW. 


The depth hierarchy is induced by the depth of alternation between accepting 
and rejecting components in DWWs. For this, we view a DWW as a DPW 
in which the colors visited along a run can only increase. Accordingly, each 
run eventually gets trapped in a single color, and is accepting iff this color is 
odd. We use DWW[0, k] and DWW(1, k] to denote weak-DPW)(0, k] and weak- 
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DPW(L, k], respectively. The picture obtained for the depth hierarchy is identical 
to that of the Mostowski hierarchy, with DWW\]j, k] replacing DPW[j, k] [50]. 
At the bottom of the depth hierarchy we have co-safety and safety languages 
[2]. Indeed, co-safety languages are DWW[0, 1] and safety are DWW/1, 2]. 

Beyond the theoretical interest in expressiveness hierarchies, their study is 
motivated by the fact many algorithms, like synthesis and probabilistic model 
checking, need to operate on deterministic automata [5,3]. The lower the au- 
tomata are in the expressiveness hierarchy, the simpler are algorithms for rea- 
soning about them. Simplicity goes beyond complexity, which typically depends 
on the parity index [16], and involves important practical considerations like min- 
imization and canonicity (exists only for DWWs [32]), circumvention of Safra’s 
determinization [26], and symbolic implementations [47]. Of special interest is 
the characterization of DBWs. For example, it is shown in [25] that given a 
linear temporal logic formula w, there is an alternation-free u-calculus formula 
equivalent to Vw iff w can be recognized by a DBW. Further research studies 
typeness for deterministic automata, examining the ability to define a weaker 
acceptance condition on top of a given automaton [19,21]. 

Our goal in this paper is to provide a simple and easy-to-understand expla- 
nation to inexpressibility results. The need to accompany results of decision pro- 
cedures by an explanation (often termed “certificate” ) is not new, and includes 
certification of a “correct” decision of a model checker [24,44], reachability cer- 
tificates in complex multi-agent systems [1], and explainable reactive synthesis 
[4]. To the best of our knowledge, our work is the first to provide certification to 
inexpressibility results. 

The underlying idea is simple: Consider a language L and a class y of de- 
terministic automata. We consider a turn-based two-player game in which one 
player (Refuter) provides letters in X, and the second player (Prover) responds 
with letters from a set A of annotations that describe states in a deterministic 
automaton. For example, when we consider a DBW, then A = {ACC, REJ}, and 
when we consider a DPW[0, k], then A = {0,..., k}. Thus, during the interac- 
tion, Refuter generates a word x € X® and Prover responds with a word y € A”. 
Prover wins if for all words x € X“, we have that x € L iff y is accepting accord- 
ing to y. Clearly, if there is a deterministic y automaton for L, then Prover can 
win by following its run on x. Dually, a finite-state winning strategy for Prover 
induces a deterministic y automaton for L. The game-based approach is not new, 
and has been used for deciding the membership of given w-regular languages in 
different classes of deterministic automata [26]. Further, the game-based formu- 
lation is used in descriptive set theory to classify sets into hierarchies, see for 
example [39, Chapters 4 and 5] for an introduction that focuses on w-regular 
languages. Our contribution is a study of strategies for Refuter. Indeed, since 
the above described game is determined [9] and the strategies are finite-state, 
Refuter has a winning strategy iff no deterministic y automaton for L exists, 
and this winning strategy can serve as a certificate for inexpressibility. 


Example 1. Consider the language Loa © {a, b}” of all words with only finitely 
many a’s. It is well known that L cannot be recognized by a DBW [29]. In Fig- 
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ACC REJ 


n Q 0) 


Figure 1. A refuter for DBW-recognizability of “only finitely many a’s”. 


ure 1 we describe what we believe to be the neatest proof of this fact. The figure 
describes a transducer R with inputs in {ACC,REJ} and outputs in {a,b} — the 
winning strategy of Refuter in the above described game. The way to interpret 
R is as follows. In each round of the game, Prover tells Refuter whether the 
run of her DBW for L-a is in an accepting or a rejecting state, and Refuter 
uses R in order to respond with the next letter in the input word. For example, 
if Prover starts with ACC, namely declaring that the initial state of her DBW 
is accepting, then Refuter responds with a, and if Prover continues with REJ, 
namely declaring that the state reachable with a is rejecting, then Refuter re- 
sponds with b. If Prover continues with REJ forever, then Prover continues with b 
forever. Thus, together Prover and Refuter generate two words: y € {ACC,REJ}” 
and x € {a,b}”. Prover wins whenever x € Loooq iff y contains infinitely many 
Acc’s. If Prover indeed has a DBW for Do.oa, then she can follow its transition 
function and win the game. By following the refuter R, however, Refuter can 
always fool Prover and generate a word x such that x € L-a iff y contains only 
finitely many ACC’s. a 


We first define refuters for DBW-recognizability, and study their construction 
and size for languages given by deterministic or nondeterministic automata. Our 
refuters serve as a first inexpressibility certificate. We continue and argue that 
each DBW-refuter for a language L induces three words x € X* and z1, x2 E€ X*, 
such that x- (x1 +x£2)*-x¥ C Land x- (xf -x2) QL =. The triple (x, x1, £2) is an 
additional certificate for L not being in DBW. Indeed, we show that a language 
Lis not in DBW iff it has a certificate as above. For example, the language L-ooa 
has a certificate (e€, b,a). In fact, we show that Landweber’s proof for Loa can 
be used as is for all languages not in DBW, with xı replacing b, x2 replacing a, 
and adding x as a prefix. 

We then generalize our results on DBW-refutation and certification in two 
orthogonal directions. The first is an extension to richer classes of deterministic 
automata, in particular all classes in the two hierarchies discussed above, as 
well as all deterministic Emerson-Lei automata (DELWs) [17]. For the depth 
hierarchy, we add to the winning condition of the game a structural restriction. 
For example, in a weak automaton, Prover loses if the sequence y € A” of 
annotations she generates includes infinitely many alternations between ACC 
and REJ. We show how structural restrictions can be easily expressed in our 
framework. 

The second direction is an extension of the recognizability question to the 
questions of separation and approximation: We say that a language L C X™ is 
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a separator for two languages L1, Lo C X* if Lı C L and LN Ly = . Studies 
of separation include a search for regular separators of general languages [11], 
as well as separation of regular languages by weaker classes of languages, e.g., 
FO-definable languages [40] or piecewise testable languages [12]. In the context 
of w-regular languages, [2] presents an algorithm computing the smallest safety 
language containing a given language L1, thus finding a safety separator for Lı 
and Lə. As far as we know, besides this result there has been no systematic 
study of separation of w-regular languages by deterministic automata. 

In addition to the interest in separators, we use them in the context of rec- 
ognizability in two ways. First, a third type of certificate that we suggest for 
DBW-refutation of a language L are “simple” languages Lı and Lə such that 
Lı CL, LA Ls = f, and (L1, Lo) are not DBW-separable. Second, we use sepa- 
rability in order to approximate languages that are not in DBW. Consider such 
a language L C X“. A user may be willing to approximate L in order to obtain 
DBW-recognizability. Specifically, we assume that there are languages J; C L 
and I, C ©“ \ L of words that the user is willing to under- and over-approximate 
L with. Thus, the user searches for a language that is a separator for L\ J; and 
SY” \ (LU h). We study DBW-separability and DBW-approximation, namely 
separability and approximation by languages in DBW. In particular, we are in- 
terested in finding “small” approximating languages J) and M with which L has a 
DBW-approximation, and we show how certificates that refute DBW-separation 
can direct the search to for successful J) and J;. Essentially, as in counterexample 
guided abstraction-refinement (CEGAR) for model checking [10], we use certifi- 
cates for non-DBW-separability in order to suggest interesting radius languages. 
While in CEGAR the refined system excludes the counterexample, in our set- 
ting the approximation of L excludes the certificate. As has been the case with 
recognizability, we extend our results to all classes of deterministic automata. 


2 Preliminaries 


2.1 Transducers and Realizability 


Consider two finite alphabets X and A. It is convenient to think about X as 
the “main” alphabet, and about A as an alphabet of annotations. For two words 
z = zto`z1 -£2 E X” andy = yo-yi-yo::: € A”, we define Gy as the word in 
(Xx A)” obtained by merging x and y. Thus, «®y = (29, yo) (£1, Y1) (£2, ya) +++ 

A (3’/A)-transducer models a finite-state system that responds with letters 
in A while interacting with an environment that generates letters in X. Formally, 
a (X/A)-transducer is T = (X, A, 4, S, S0, p, T), where v € {sys, env} indicates 
who initiates the interaction — the system or the environment, S is a set of states, 
so € S is an initial state, p : Sx X > S is a transition function, and 7T : S > A is 
a labelling function on the states. Consider an input word x = 2g-4%1-%2°-: E€ XY. 
The run of T on x is the sequence so, $1, 82... such that for all j > 0, we have 
that sj;41 = p(sj, xj). The annotation of x by T, denoted T(x), depends on z. 
If ¿ = sys, then T(x) = T(s9) - T(s1) - T(S2)--- € A”. Note that the first letter 
in A is the output of 7 in so. This reflects the fact that the system initiates the 
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interaction. If 1 = env, then T(x) = T(s51)-T(52)-T(s3)--: € A”. Note that now, 
the output in so is ignored, reflecting the fact that the environment initiates the 
interaction. 

Consider a language L C (X x A)”. Let comp(L) denote the complement of 
L. Thus, comp(L) = (X x A)” \ L. We say that a language L C (X x A)” is 
(2'/A)-realizable by the system if there is a (’/A)-transducer T with 1 = sys 
such that for every word x € X”, we have that x 6 T(x) € L. Then, L is 
(A/’)-realizable by the environment if there is an (A/5’)-transducer T with 
i = env such that for every word y € A”, we have that T(y) @ y € L. When 
the language L is regular, realizability reduces to deciding a game with a regular 
winning condition. Then, by determinacy of games and due to the existence of 
finite-memory winning strategies [9], we have the following. 


Proposition 1. For every w-regular language L C (X x A)”, exactly one of the 
following holds. 


1. L is (°/A)-realizable by the system. 
2. comp(L) is (A/S’)-realizable by the environment. 


2.2 Automata 


A deterministic word automaton over a finite alphabet X is A = (X, Q, qo, ô, a), 
where Q is a set of states, go € Q is an initial state, ô : Q x X > Q is a transition 
function, and a is an acceptance condition. We extend ô to words in X* in the 
expected way, thus for q € Q, w € X*, and letter o € X, we have that 6(q,€) = q 
and (q, w0) = 6(6(q,w),o). A run of A on an infinite word o9,01,:-: € XY is 
the sequence of states r = qo, q1, . - -, where for every position i > 0, we have that 
qi+1 = 0(qi, oi). We use inf(r) to denote the set of states that r visits infinitely 
often. Thus, inf(r) = {q : qi = q for infinitely many i > 0}. 

The acceptance condition a refers to inf (r) and determines whether the run 
r is accepting. For example, in the Btichi, acceptance condition, we have that 
a C Q, and a run is accepting iff it visits states in a infinitely often; that is, 
aN inf(r) 4 @. Dually, in co-Biichi, a C Q, and a run is accepting iff it visits 
states in a only finitely often; that is, aN inf (r) = Ø. The language of A, denoted 
L(A), is then the set of words w such that the run of A on w is accepting. 

A parity condition is a: Q + {0,...,k}, for k > 0, termed the index of a. A 
run r satisfies a iff the maximal color i € {0,...,k} such that a~!(i)Ninf(r) 40 
is odd. That is, r is accepting iff the maximal color that r visits infinitely often is 
odd. Then, a Rabin condition is a = { (G1, Bi),..., (Gk, By) }, with Gi, Bi C Q, 
for all0 < į < k. A run r satisfies a iff there is 1 < i < k such that inf(r)NG; 40 
and inf (r)A Bi = Ø. Thus, there is a pair (G;, Bi) such that r visits states in G; 
infinitely often and visits states in B; only finitely often. 

All the acceptance conditions above can be viewed as special cases of the 
Emerson-Lei acceptance condition (EL-condition, for short) [17], which we define 
below. Let M be a finite set of marks. Given an infinite sequence 7 = Mop-M,--- € 
(2™)” of subsets of marks, let inf (7) be the set of marks that appear infinitely 
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often in sets in m. Thus, inf (m) = {m e M : there exist infinitely many i > 0 
such that m € Mi}. An EL-condition is a Boolean assertion over atoms in M. 
For simplicity, we consider assertions in positive normal form, where negation is 
applied only to atoms. Intuitively, marks that appear positively should repeat 
infinitely often and marks that appear negatively should repeat only finitely 
often. Formally, a deterministic EL-automaton is A = (X, Q, qo, ô, M, 7T, 0}, where 
T: Q — M maps each state to a set of marks, and 6 is an EL-condition over M. 
A run r of a A is accepting if inf (T(r)) satisfies 0. 


For example, a Büchi condition a C Q can be viewed as an EL-condition 
with M = {acc} and r(q) = {acc} for q € a and 7(q) = Ọ for q ¢ a. Then, the 
assertion 0 = ACC is satisfied by sequences 7 induced by runs r with inf(r)Na 4 
Ø. Dually, the assertion 0 = =REJ with M = {REJ} is satisfied by sequences 7 
induced by runs r with inf(r) Ma = Ø, and thus corresponds to a co-Biichi 
condition. In the case of a parity condition a: Q > {0,...,k}, it is not hard to 
see that a is equivalent to an EL-condition in which M = {0,1,...,&}, for every 
state q E€ Q, we have that T(q) = {a(q)}, and 0 expresses the parity condition. 
Lastly, a Rabin condition a = {(G, B1),...,(Gx, By) } is equivalent to an EL- 
condition with M = {G,, B1, ..-, Gk, By} and T(q) = {m E M: q E m}. Note 
that now, the mapping 7 is not to singletons, and each state is marked by all 
sets in a in which it is a member. Then, 0 = Vi<;<(Gi A ~Bi). 


We use DBW, DCW, DPW, DRW, DELW to denote deterministic Büchi, co- 
Büchi, parity, Rabin, and EL word automata, respectively. For parity automata, 
we also use DPW(0, k] and DPW/1, k], for k > 0, to denote DPWs in which the 
colours are in {0,..., k} and {1,...,k}, respectively. For Rabin automata, we use 
DRWIk], for k > 0, to denote DRWs that have at most k elements in a. Finally, 
we use DELW/6], to denote DELWs with EL-condition 6. We sometimes use the 
above acronyms in order to refer to the set of languages that are recognizable by 
the corresponding class of automata. For example, we say that a language L is 
in DBW if L is DBW-recognizable, thus there is a DBW A such that L = L(A). 
Note that DBW = DPW(0, 1], DCW = DPW{I, 2], and DRW/1] = DPW){0, 2]. 
In fact, in terms of expressiveness, DRW[k] = DPW(0, 2k] [43,31]. 


Consider a directed graph G = (V, EF). A strongly connected set of G (SCS) 
is a set C C V of vertices such that for every two vertices v,v’ € C, there is a 
path from v to v’. An SCS C is maximal if it cannot be extended to a larger 
SCS. Formally, for every nonempty C” C V \ C, we have that C UC’ is not an 
SCS. The maximal strongly connected sets are also termed strongly connected 
components (SCC). An automaton A = (X, Q, Qo, ô, a) induces a directed graph 
Ga = (Q, E) in which (q,q’) € E iff there is a letter o such that q’ € 6(q,¢). 
When we talk about the SCSs and SCCs of A, we refer to those of G&A. Consider 
a run r of an automaton A. It is not hard to see that the set inf(r) is an SCS. 
Indeed, since every two states q and q’ in inf(r) are visited infinitely often, the 
state q’ must be reachable from q. 
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3 Refuting DBW-Recognizability 


Let A = {Acc, REJ}. We use coACC to denote the subset {ao - a ag- € AY: 
there are infinitely many j > 0 with a; = Acc} and -00ACC = comp(CoACC) = 
{ao -@1+a2--- € A”: there are only finitely many j > 0 with a; = Acc}. 

A DBW A = (2,Q,q0,6,a) can be viewed as a (5’/A)-transducer T4 = 
(X, A, sys, Q, qo, 6,7), where for every state q E€ Q, we have that T(q) = Acc if 
q € a, and T(q) = REJ otherwise. Then, for every word x € XY, we have that 
x € L(A) iff Ta(x) € ACC. 

For a language L C X“, we define the language DBW(L) C (X x A)” of 
words with correct annotations. Thus, 


DBW(L) = {x1 @y: 2 E L iff y E wacch}. 
Note that comp(DBW/(L)) is the language 
NoDBW(L) = {x ® y : (x € L and y ¢ wacc) or (x g L and y E€ wacc)}. 
A DBW-refuter for L is an (A/X)-transducer with 1 = env realizing NoDBW (L). 


Example 2. For every language R C X* of finite words, the language R” C XY 
consists of infinite concatenations of words in R. It was recently shown that RY 
may not be in DBW [30]. The language used in [30] is R = $+ (0- {0,1, $}*- 1). 
In Figure 2 below we describe a DBW-refuter for RY. 


ACC REJ 


R: 
ACC,REJ 


{$) ACC,REJ 


Figure 2. A DBW-refuter for ($ + (0- {0,1,$}* -1))*. 


Following R, Refuter starts by generating a prefix 0-1 and then responds 
to ACC with 1 and responds with $ to REJ. Accordingly, if Prover generates a 
rejecting run, Prover generates a word in 0-1-(1+$)*-$%, which is in R”. Also, 
if Prover generates an accepting run, Prover generates a word in 0-1-(1* -$*)*, 
which has a single 0 and infinitely many 1’s, and is therefore not in RY. E 


By Proposition 1, we have the following. 


Proposition 2. Consider a language L C X*”. Let A = {ACC, REJ}. Exactly 
one of the following holds: 


— L is in DBW, in which case the language DBW (L) is (X/A)-realizable by 
the system, and a finite-memory winning strategy for the system induces a 
DBW for L. 

— L is not in DBW, in which case the language NODBW (L) is (A/X)-realizable 
by the environment, and a finite-memory winning strategy for the environ- 
ment induces a DBW-refuter for L. 
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3.1 Complexity 


In this section we analyze the size of refuters. We start with the case where the 
language L is given by a DPW. 


Theorem 1. Consider a DPW A with n states. Let L = L(A). One of the 
following holds. 


1. There is a DBW for L with n states. 
2. There is a DBW-refuter for L with 2n states. 


Proof. If L is in DBW, then, as DPWs are Biichi type [19], a DBW for L can be 
defined on top of the structure of A, and so it has n states. If L is not in DBW, 
then by Proposition 2, there is a DBW-refuter for L, namely a ({ACC, REJ}/X)- 
transducer that realizes NoDBW(L). We show we can define a DRW U with 2n 
states for NoDBW (L). The result then follows from the fact a realizable DRW 
is realized by a transducer of the same size as the DRW [15]. 

We construct U by taking the union of the acceptance conditions of a DRW 
U for {a @y: a € Land y ¢ wacc} and a DRW U for {vu By: a ¢ L and y€ 
ooAcc}. We obtain both DRWs by taking the product of A, extended to the 
alphabet X x {ACC, REJ}, with a 2-state automaton for ooACC, again extended 
to the alphabet X x {Acc, REJ}. 

We describe the construction in detail. Let A = (2’,Q,q0,6,a@). Then, the 
state space of U, is Q x {ACC, REJ} and its transition on a letter (o,a) follows 
ô when it reads g, with a determining whether Mı moves to the ACC or REJ 
copy. Let a, be the Rabin condition equivalent to a. We obtain the acceptance 
condition of 4, by replacing each pair (G, B} in a; by (G x {REJ}, B x {REJ} U 
Q x {acc}). It is not hard to see that a run of U satisfies the latter pair iff 
its projection on Q satisfies the pair (G,B) and its projection on {ACC, REJ} 
has only finitely many Acc. The construction of U is similar, with a2 being a 
Rabin condition that complements a, and then replacing each pair (G, B} in ag 
by (G x {acc}, B x {ACC, REJ})). Since U4; and U2 have the same state space, 
and we only have to take the union of the pairs in their acceptance conditions, 
the 2n bound follows. 


Now, when L is given by an NBW, an exponential bound follows from the 
exponential blow up in determinization [42]. If we are also given an NBW for 
comp(L), the complexity can be tightened. Formally, we have the following. 


Theorem 2. Given NBWs with n and m states, for L and comp(L), respec- 
tively, one of the following holds. 


1. There is a DBW for L with min{(1.65n)”, 3} states. 
2. There is a DBW-refuter for L with min{2 - (1.65n)",2- (1.65m)™} states. 


Proof. If L is in DBW, then a DBW for L can be defined on top of a DPW for 
L, which has at most (1.65n)” states [45], or by dualizing a DCW for comp(L). 
Since the translation of an NBW with m states to a DCW, when it exists, results 
in a DCW with 3” states [7], we are done. If L is not in DBW, then we proceed 
as in the proof of Theorem 1, defining U on the top of a DPW for either L or 
comp(L). 
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3.2 Certifying DBW-Refutation 


Consider a DBW-refuter R = HACC, REJ}, X, env, S, so, p, T). We say that a 
path so,...,5m in R is an REJ*-path if it contains at least one transition and 
all the transitions along it are labeled by REJ; thus, for all 0 < j < m, we 
have that s;41 = p(sj, REJ). Then, a path so,...,5m in R is an ACC-path if it 
contains at least one transition and its first transition is labeled by Acc. Thus, 
Sı = p(So, ACC). 


Lemma 1. Consider a DBW-refuter R = ({ACC, REJ}, X, env, S, S0, p, T). Then 
there exists a state s € S, a (possibly empty) path p = 80, 51,- . . Sm, @ REJ* -cycle 
1 


pı = 54,41: Shi and an ACC-cycle po = sg, s7.. Spani such that sm = 25 = 
1 2 


S =s =S 


mı = 5. 


2 
m2 
Proof. Let s; € S be a reachable state that belongs to an ergodic component in 
the graph of R (that is, si € C, for a set C of strongly connected states that 
can reach only states in C). Since R is responsive, in the sense it can read in 
each round both ACC and REJ, we can read from s; the input sequence REJ”. 
Hence, R has a REJ*-path s;,...,8),...,8, With s; = Sp, for 1 < k. It is easy to 
see that the claim holds with s = s;. In particular, since R is responsive and C 
is strongly connected, there exists an ACC-cycle from s; to itself. 


Theorem 3. An w-regular language L is not in DBW iff there exist three finite 
words x € X* and x1,£9 € X+, such that x : (x1 + x2)*- a? C L and z- (ai - 
z2)” b= 0. 


Proof. Assume first that L is not in DBW. Then, by Theorem 2, there exists 


a DBW-refuter R for it. Let p = $0,51,- -- Sm, P1 = $$, SI- - -> Sh, and po = 
S$, 8],---,82,,, be the path, REJt-cycle, and Acc-cycle that are guaranteed to 


exist by Lemma 1. Let 2,2,, and x2 be the outputs that R generates along 
them. Formally, x = 7(s1)-T(s2)-+-T(S8m), z1 = T(8})-7(83) +++ T(Sm,), and £2 = 
T(s7) - T(s7)---7(s?,,). Note that as the environment initiates the interaction, 
the first letter in the words x, xı, and x2, are the outputs in the second states 
in p, pı, and p2. The final step, i.e., that z, xı, and x satisfy the two conditions 
of the theorem, can be found in the full version of this article [27]. 

For the other direction, we adjust Landweber’s proof [29] for the non-DBW- 
recognizability of scoa to L. Essentially, scoa can be viewed as a special case of 
u:(a1,+22)*-c¥, with £ = €, xı = b, and z2 = a. Assume by way of contradiction 
that there is a DBW A with L(A) = L. Let A = (X, Q, qo, 6, a). Consider the 
infinite word wọ = x - xv. Since wo € a: (£1 + £2)* - z}, and so w € L, the run 
of A on wo is accepting. Thus, there is i; > 0 such that A visits a when it reads 
the zı suffix of z- zit. Consider now the infinite word w, = x- a’) - x2- 2%. Since 
wy is also in L, the run of A on wy is accepting. Thus, there is i2 > 0 such that 
A visits a when it reads the a; suffix of a+ a}! - a2 -2'?. Ina similar fashion we 
can continue to find indices 7), i2,... such for all j > 1, we have that A visits a 
when it reads the x, suffix of x - git 22° a? -£25 E2 pr Since Q is finite, we 
can construct a word w € g- (xj - x2)” that is accepted, but we assumed that 
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x: (aj - x2)” N L =, and thus we have reached a contradiction. The details of 
this step are given in [27]. 


We refer to a triple (a, 21,22) of words that satisfy the conditions in Theo- 
rem 3 as a certificate to the non-DBW-recognizability of L. 


Example 3. In Example 2, we described a DBW-refuter for L = ($+(0-{0, 1, $}*- 
1))”. A certificate to its non-DBW-recognizability is (x, £1, £2), with z = 01, 
xı = $, and z2 = 1. Indeed, 01- ($+1)*-$% C L and 01- ($*-1)*NL=0. E 


Note that obtaining certificates according to the proof of Theorem 3 may 
not give us the shortest certificate. For example, for L in Example 3, the proof 
would give us x = 01$, zı = $, and z2 = 1$, with 01$ - ($ + 1$)* - $° C L and 
01$. ($*-1$)® N L = Ø. The problem of generating smallest certificates is related 
to the problem of finding smallest witnesses to DBW non-emptiness [22] and is 
harder. Formally, defining the length of a certificate (x, x1, £2) as |z|+|21|+|29l, 
we have the following (see proof in [27]): 


Theorem 4. Consider a DPW A and a threshold l > 1. The problem of deciding 
whether there is a certificate of length at most l for non-DBW-recognizability of 
L(A) is NP-complete, for l given in unary or binary. 


Remark 1. [Relation with existing characterizations] By [29], the language 
of a DPW A = (X, Q, qo, ô, a) is in DBW iff for every accepting SCS C C Q and 
SCS C” D C, we have that C” is accepting. The proof of Landweber relies on a 
complicated analysis of the structural properties of A. As we elaborate in the full 
version [27], Theorem 3, which relies instead on determinacy of games, suggests 
an alternative proof. Similarly, [50] examines the structure of a deterministic 
Muller automaton, and Theorem 3 can be viewed as a special case of Lemma 14 
there, with a proof based on the game setting. 

E 


Being an (A/X)-transducer, every DBW-refuter R is responsive and may 
generate many different words in X“. Below we show that we can leave R re- 
sponsive and yet let it generate only words induced by a certificate. Formally, 
we have the following. 


Lemma 2. Given a certificate (x, £1, £2) to non-DBW-recognizability of a lan- 
guage L C &™”, we can define a refuter R for L such that for every y € A”, 
if y H œacc, then R(y) € x- (aj - a2)”, and if y H ~ooacc, then R(y) € 
z- (£1 + z2) x. 


Proof. Intuitively, R first ignores the inputs and outputs x. It then repeatedly 
outputs either xı or z2, according to the following policy: in the first iteration, 
R outputs zı. If during the output of xı all inputs are REJ, then R outputs x1 
also in the next iteration. If an input ACC has been detected, thus the prover 
tries to accept the constructed word, the refuter outputs x2 in the next iteration, 
again keeping track of an ACC input. If no ACC has been input, R switches back 
to outputting xı. The formal definition of R can be found in [27]. 
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By Theorem 3, every language not in DBW has a certificate (x, £1, 72). As we 
argue below, these certificates are linear in the number of states of the refuters. 


Lemma 3. Let R be a DBW-refuter for LC X” with n states. Then, L has a 
certificate of the form (x, 21,22) such that |x| + |a1| + |r| <2-n. 


Proof. The paths p, pı, and po that induce x, x; and x2 in the proof of Theorem 3 
are simple, and so they are all of length at most n. Also, while these paths 
may share edges, we can define them so that each edge appears in at most two 
paths. Indeed, if an edge appears in all three path, we can shorten p. Hence, 
|x| + |ai| + |a2| < 2- n, and we are done. 


Theorem 5. Consider a language L C X® not in DBW. The length of a cer- 
tificate for the non-DBW-recognizability of L is linear in a DPW for L and is 
exponential in an NBW for L. These bounds are tight. 


Proof. The upper bounds follow from Theorem 1 and Lemma 3, and the expo- 
nential determinization of NBWs. The lower bound in the NBW case follows 
from the exponential lower bound on the size of shortest non-universality wit- 
nesses for non-deterministic finite word automata (NFW) [34]. We sketch the 
reduction: Let Ln C {0,1}* be a language such that the shortest witness for 
non-universality of L, is exponential in n, but L,, has a polynomial sized NFW. 
We then define Li, = (Ln -$- (0*-1)”) + ((0+1)*-$- (04 1)* - 0%). It is clear 
that Li, has a NBW polynomial in n and is not DBW-recognizable. Note that 
for every word w € Ln, we have w- $- (0+ 1)” C Li. Thus, in order to satisfy 
Theorem 3, every certificate (a, 21,22) needs to have w-$ as prefix of x, for some 
w ¢ Ln. Hence, it is exponential in the size of the NBW. 


Remark 2. [LTL] When the language L is given by an LTL formula y, then 
DBW(vy) = p © GFacc and thus an off-the-shelf LTL synthesis tool can 
be used to extract a DBW-refuter, if one exists. As for complexity, a doubly- 
exponential upper bound on the size of a DPW for NoDBW (L), and then also on 
the size of DBW-refuters and certificates, follows from the double-exponential 
translation of LTL formulas to DPWs [49,42]. The length of certificates, how- 
ever, and then, by Lemma 2, also the size of a minimal refuter, is related to the 
diameter of the DPW for NoDBW(L), and we leave its tight bound open. E 


4 Separability and Approximations 


Consider three languages Li, Lə, L C X”. We say that L is a separator for 
(Lı, Lə) if Lı C L and L2 N L =. We say that a pair of languages (L1, D2) is 
DBW-separable iff there exists a language L in DBW such that L is a separator 
for (Lı, Lo). 


Example 4. Let X = {a,b}, Lı = (a + b)* - bY, and Lz = (a + b)* - a”. By [29], 
Lı and Lə are not in DBW. They are, however, DBW-separable. A witness for 
this is L = (a* - b)”. Indeed, Ly C L, LA La = 9, and L is DBW-recognizable. W 
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Consider a language L C X“, and suppose we know that L is not in DBW. A 
user may be willing to approximate L in order to obtain DBW-recognizability. 
Specifically, we assume that there is a language I C X“ of words that the user 
is indifferent about. Formally, the user is satisfied with a language in DBW 
that agrees with L on all words that are not in J. Formally, we say that a 
language L’ approximates L with radius I if L\ I C L’ C LUT. It is easy to 
see that, equivalently, L’ is a separator for (L \ I, comp(£UJ)). Note that the 
above formulation embodies the case where the user has in mind different over- 
and under-approximation radiuses, thus separating (L \ I), comp(L U I;)) for 
possibly different J} and J}. Indeed, by defining 7 = (I, N L) U (J \ L), we get 
(L\ I, comp(LUTI)) = (L \ L,, comp(L) \ fy)). 

It follows that by studying DBW-separability, we also study DBW-approx- 
imation, namely approximation by a language that is in DBW, possibly with 
different over- and under-approximation radiuses. 


Remark 8. [From recognizability to separation] It is easy to see that DBW- 
separability generalizes DBW-recognizability, as L is in DBW iff (L, comp(L)) 
is DBW-separable. Given L C X“, we say that a pair of languages (L1, L2) 
is a no-DBW-witness for L if L is a separator for (L1, L2) and (L1, L2) is not 
DBW-separable. Note that the latter indeed implies that L is not in DBW. 

A simple no-DBW witness for L can be obtained as follows. Let R be a DBW 
refuter for L. Then, we define Ly = {R(y) : y E ncACC} and Lə = {R(y): y € 
ooACcc}. By the definition of DBW-refuters, we have Lı C L and La NA L = 9, 
and so (L1, L2) is a no-DBW witness for L. It is simple, in the sense that when 
we describe Lı and Lə by a tree obtained by pruning the X*-tree, then each 
node has at most two children — these that correspond to the responses of R to 
ACC and REJ. E 


4.1 Refuting Separability 


For a pair of languages (L4, Lo}, we define the language SepDBW (L) C (X x A)” 
of words with correct annotations for separation. Thus, 


SepDBW (L1, Lo) = {£ Sy: (x € Lı > y € œACC) A (x € La > y Z œ4CC)}. 


Note that comp(SepDBW (L1, L2)) is then the language 
NoSepDBW (L1, L2) = {x @ y : (x € Lı Ay € wacc) V (x € Le Ay € œACC)}. 


A DBW-sep-refuter for (Lı, Lə) is an (A/X)-transducer with ¿ = env that 
realizes NoSepDBW (L1, L2). 


Example 5. Consider the language L-sa = (a + b)* - b”, which is not DBW. 
Let I = a* - b® + b* - a’, thus we are indifferent about words with only one 
alternation between a and b. In Figure 3 we describe a DBW-sep refuter for 
(Loca \ I, comp(L-xa UT)). Note that the refuter generates only words in a- 
b-a-(a+b)”, whose intersection with J is empty. Consequently, the refutation 
is similar to the DBW-refutation of Doooa- | 
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ACC REJ 


T: ACC ACC ACC (_) REJ (_) 
REJ REJ REJ 
OOO ono 


ACC 


Figure 3. A DBW-sep refuter for (Loa \ I, comp(L-.a U T)). 


By Proposition 1, we have the following extension of Proposition 2. 


Proposition 3. Consider two languages Lı, L3 C X”. Let A = {acc, REJ}. 
Exactly one of the following holds: 


— (Lı, L2) is DBW-separable, in which case the language SepDBW (L1, La) is 
(37/A)-realizable by the system, and a finite-memory winning strategy for the 
system induces a DBW for a language L that separates Ly and Lə. 

— (Ly, L2) is not DBW-separable, in which case the language NoSepDBW(L) is 
(A/2’)-realizable by the environment, and a finite-memory winning strategy 
for the environment induces a DBW-sep-refuter for (Lı, Lo). 


As for complexity, the construction of the game for SepDBW (L1, L2) is sim- 
ilar to the one described in Theorem 1. Here, however, the input to the problem 
includes two DPWs. Also, the positive case, namely the construction of the sep- 
arator does not follow from known results. 


Theorem 6. Consider DPWs A, and Az with nı and no states, respectively. 
Let Ly = L(Aı) and La = L(A2). One of the following holds. 


1. There is a DBW A with 2 - nı - no states such that L(A) DBW-separates 
(Ly, Lo). 
2. There is a DBW-sep-refuter for (Li, La) with 2- nı - no states. 


Proof. We show that SepDBW (L1, L2) and NoSepDBW (L1, L2) can be recog- 
nised by DRWs with at most 2 - nı - na states. Then, by [15], we can construct 
a DBW or a DBW-sep-refuter with at most 2 - nı - no states. The construction 
is similar to the one described in the proof of Theorem 1. The only technical 
challenge is the fact SepDBW (L1, L2) is defined as the intersection, rather than 
union, of two languages. For this, we observe that we can define SepDBW (L1, L2) 
also as {x ®y: (y € ACC and x ¢ Lə) or (y € ACC and x ¢ L,)}. With this 
formulation we then can reuse the union construction as seen in Theorem 1 to 
obtain DRWs with at most 2 - nı -n2 states. 


As has been the case with DBW-recognizability, one can generate certificates 
from a DBW-sep-refuter. The proof is similar to that of Theorem 3, with mem- 
bership in Lı replacing membership in L and membership in Lə replacing being 
disjoint from L. Formally, we have the following. 


Theorem 7. Two w-regular languages Lı, Lo C X® are not DBW-separable iff 
there exist three finite words x € X* and x1,x%2 E€ X'*, such that x- (x1 +£2)*- £% C 
Lı and x: (at +a)” C Dy. 
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We refer to a triple (x, £1, £2) of words that satisfy the conditions in Theorem 7 
as a certificate to the non-DBW-separability of (L1, L2). Observe that the same 
way we generated a no-DBW witness in Remark 3, we can extract, given a DBW- 
sep-refuter R for (Lı, Lə), languages Li, C Ly and L4 C Lo that tighten (L1, Lo) 
and are still not DBW-separable. 


4.2 Certificate-Guided Approximation 


In this section we describe a method for finding small approximating languages 
I, and J; such that (L \ I, comp(L) \ Ly) is DBW-separable. If this method 
terminates we obtain an approximation for L that is DBW-recognizable. As in 
counterexample guided abstraction-refinement (CEGAR) for model checking [10], 
we use certificates for non-DBW-separability in order to suggest interesting ap- 
proximating languages. Intuitively, while in CEGAR the refined system excludes 
the counterexample, here the approximation of L excludes the certificate. 

Consider a certificate (x, x1, £2) for the non-DBW-separability of (Ly, Lə). 
We suggest the following five approximations: 


Co =z: (zı + z2)” ~~ (Li \ Co, L2 \ Co) 
Ci = x- (£1 +%2)*- tf = Li NCo ~ (Li \ Ci, Lo) 
C2 =x- (as s z1)” DC, ~~ (Ly, L2 \ C2) 
C3 = x - (af - £2)” = L2 N Co ~ (Li, L2 \ C3) 
C4 =x. (a1 +22)*- £9 C C3 ~~ (Li, L2 \ C4) 


First, it is easy to verify that (x, £1, £2) is indeed not a certificate for the non- 
DBW-separability of the obtained candidate pairs (L4, L4). If (L1, £4) is DBW- 
separable, we are done (yet may try to tighten the approximation). Otherwise, 
we can repeat the process with a certificate for the non-DBW-separability of 
(L1, £5). As in CEGAR, some suggestions may be more interesting than others, 
in some cases the process terminates, in some it does not, and the user takes 
part directing the search. 


Example 6. Consider again the language L = (a + b)* - bY and the certificate 
(a, 21,22) = (e,b,a). Trying to approximate L by a language in DBW, we start 
with the pair (L, comp(L)). Our five suggestions are then as follows. 


Co = 2” ~ (L\ Co, comp(L) \ Co) = (0,0) 

Cy = (b+a)*-b% ~> (L\ C1, comp(L)) = (0, comp(L)) 

Ca = (a* -b)” ~ (L, comp(L) \ C2) = (L, (a+ b)* - a”) 

C3 = (b* - a)” ~> (L, comp(L) \ C3) = (L,9) 

Getaga -» CL comp(L)\ Cy) =(L, ari (@-at eT 


Candidates Co, C1, and C3 induce trivial approximations. Then, C2 suggests 
to over-approximate L by setting I; to (a* - b)”, which we view as a nice solu- 
tion, approximating “eventually always b” by “infinitely often b”. Then, the pair 
derived from C4 is not DBW-separable. We can try to approximate it. Note, 
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however, that repeated approximations in the spirit of C4 are going to only ex- 
tend the prefix of x in the certificates, and the process does not terminate. In 
the full version of this article [27], we describe the process for the certificate 
(a, 21,22) = (a,b, a), which again might not terminate. E 


5 Other Classes of Deterministic Automata 


In this section we generalise the idea of DBW-refuters to other classes of de- 
terministic automata. For this we take again the view that a deterministic au- 
tomaton is a (X, A)-transducer over a suitable annotation alphabet A. We then 
characterize each class of deterministic automata by two languages over A: 


— The language Lace C A”, describing when a run is accepting. For example, 
for DBWs, we have A = {ACC, REJ} and Lace = COACC. 

— The language Lstruct C A”, describing structural conditions on the run. For 
example, recall that a DWW is a DBW in which the states of each SCS are 
either all accepting or all rejecting, and so each run eventually get trapped in 
an accepting or rejecting SCS. Accordingly, the language of runs that satisfy 
the structural condition is Dgtruct = A* - (ACCY + REJ”). 


We now formalize this intuition. Let A be a finite set of annotations and 
let y = (Lace; Lstruct), for Lace, Lstruct C AY. A deterministic automaton A = 
(27,Q,q0,0,@) is a deterministic y automaton (DyW, for short) if there is a 
function T: Q + A that maps each state to an annotation such that a run r of 
A satisfies a iff T(r) € Lace, and all runs r satisfy the structural condition, thus 
T(r) € Lstruct: We then say that a language L is 7-recognizable if there a DyW 
A such that L = L(A). 

Before we continue to study y-recognizability, let us demonstrate the y- 
characterization of common deterministic automata. We first start with classes 
y for which Lstruct is trivial; i.e., Lstruct = A”. 


— DBW: A = {acc, REJ} and Lace = OOACC. 

— DCW: A = {acc, REJ} and Lace = AOOACC. 

— DPW(i, k]: A = {i,..., k} and Lace = {y € AY : max(inf(y)) is odd}. 
— DELW(6]: A = 2™ and Lace = {y € AY : y H 0}. 


Note that the characterizations for Büchi, co-Btichi, and parity are special cases 
of the characterization for DELW. In a similar way, we could define a language 
Lace for DRW[k] and other common special cases of DELWs. We continue to 
classes in the depth hierarchy, where y includes also a structural restriction: 


— DWW: The set A and the language Lace are as for DBW or DCW. In addi- 
tion, Lstruct = A* - (ACCY + REI”). 

— DWW]j,k], for 7 € {0,1}: The set A and the language La. are as for 
DPW), k]. In addition, Lstruct = {yo: yi-:: E A” : for all i > 0, we have 
that yi < yisi}- 
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— Bounded Languages: A language L is bounded if it is both safety and co- 
safety. Thus, every word w € ©“ has a prefix v € X* such that either for all 
u € X” we have v-u € L, or for all u € XY” we have v-u ¢ L [23]. To capture 
this, we use A = {ACC, REJ, ?}, where “?” is used for annotating states with 
both accepting and rejecting continuations. Then, Lace = A* - ACC’, and 
Lstruct =?* = (ACCY FREJ”). 

— Deterministic (m,n)-Superparity Automata [39]: A = { (i, j):0 <i < m,0< 
j < n}, Lace = {Ym © Yn E AY : max(inf(Ym)) + max(Yn) is odd}, and 
Lstruct = {Ym ® (yo yr: ++) E AY : Yi < Yi+ı, for all i > 0}. 


Let X be an alphabet, let A be an annotation alphabet, and let y = (Lace, 
Lstruct), for Lace, Lstruct C A“. We define the language Real(L, y) C (X x A)” 
of words with correct annotations. 


Real(L, y) ={x@y:y € Lstruct and (x € L iff y € Lacc)}. 


Note that the language DBW (L) can be viewed as a special case of our general 
framework. In particular, in cases Lstruct = A“, we can remove the y E€ Lstruct 
conjunct from Real(L, y). Note that comp(Real(L,y)) is the language 


NoReal(L, y) = {£ @y:y Z Lstruct or (x € L iff y J Lacc)}. 


A y-refuter for L is then an (A/X)-transducer with 1 = env that realizes 
NoReal(L, y). We can now state the “DyW-generalization” of Proposition 2. 


Proposition 4. Consider an w-regular language L C X*, and a pair y = 
(Lace; Lstruct)}, for w-regular languages Lacc, Lstruct © AY. Exactly one of the 
following holds: 


1. L is in DYW, in which case the language Real(L, y) is (3'/A)-realizable by 
the system, and a finite-memory winning strategy for the system induces a 
DyW for L. 

2. L is not in DyW, in which case the language NoReal(L, y) is (A/2)-re- 
alizable by the environment, and a finite-memory winning strategy for the 
environment induces a y-refuter for L. 


Note that every DELW can be complemented by dualization, thus by chang- 
ing its acceptance condition from 0 to -@. In particular, DBW and DCW dualize 
each other. As we argue below, dualization is carried over to refutation. For ex- 
ample, the ({ ACC, REJ}/5’)-transducer R from Figure 1 is both a DBW-refuter 
for ~coa and a DCW-refuter for ooa. Formally, we have the following. 


Theorem 8. Consider an EL-condition 0 over M. Let A = M. For every 
(A/S)-transducer R and language L, we have that R is a DELW[0]-refuter for 
L iff R is a DELW[-6]-refuter for comp(L). In particular, for every language L 
and ({ACC, REJ}/3’)-transducer R, we have that R is a DBW-refuter for L iff 
R is a DCW-refuter for comp(L). 


402 O. Kupferman and S. Sickert 


Proof. For DELW[6]-recognizability of L, the language of correct annotations is 
{x@y: (x € L iff y H 0)}, which is equal to {£ 9y : (x € comp(L) iff y H =0)}, 
which is the language of correct annotations for DELW[-6]-recognizability of 
comp(L). 


While dualization is nicely carried over to refutation, this is not the case 
for all expressiveness results. For example, while DWW=DBWNnDCW, and in 
fact DBW and DCW are weak type (that is, when the language of a DBW 
is in DWW, an equivalent DWW can be defined on top of its structure, and 
similarly for DCW [21]), we describe in [27] a DWW-refuter that is neither a 
DBW- nor a DCW-refuter. Intuitively, this is possible as in DWW refutation, 
Prover loses when the input is not in A* - (ACC®Ħ + REJ”), whereas in DBW and 
DCW refutation, Refuter has to respond correctly also for these inputs. 

On the other hand, as every DWW is also a DBW and a DCW, every DBW- 
refuter or DCW-refuter is also a DWW-refuter. 

It is easy to see that our results about DyW-recognizability can be extended 
to separability and approximation in the same way DBW-recognizability has 
been extended in Section 4. We describe the details in the full version [27], as 
well as word-certificates for the non-DyW-recognizability and -separability of 
several well-known types of y. 


6 Discussion and Directions for Future Research 


The automation of decision procedures makes certification essential. We suggest 
to use the winning strategy of the refuter in expressiveness games as a certificate 
to inexpressibility. We show that beyond this state-based certificate, the strategy 
induces a word-based certificate, generated from words traversed along a “flower 
structure” the strategy contains, as well as a language-based certificate, consisting 
of languages that under- and over-approximate the language in question and that 
are not separable by automata in the desired class. 

While our work considers expressive power, one can use similar ideas in order 
to question the size of automata needed to recognize a given language. For 
example, in the case of a regular language L of finite words, the Myhill-Nerode 
characterization [37,38] suggests to refute the existence of deterministic finite 
word automata (DFW) with n states for L by providing n + 1 prefixes that 
are not right-congruent. Using our approach, one can alternatively consider the 
winning strategy of Refuter in a game in which the set of annotations includes 
also the state space, and Letruct ensures consistency of the transition relation. 
Even more interesting is refutation of size in the setting of automata on infinite 
words. Indeed, there, minimization is NP-complete [46], and there are interesting 
connections between polynomial certificates and possible membership in co-NP, 
as well as connections between size of certificates and succinctness of the different 
classes of automata. 

Finally, while the approximation scheme we studied is based on suggested 
over- and under-approximating languages, it is interesting to study approxima- 
tions that are based on more flexible distance measures [13,18]. 
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Abstract. Dependent refinement types are types equipped with predi- 
cates that specify preconditions and postconditions of underlying func- 
tional languages. We propose a general semantic construction of depen- 
dent refinement type systems from underlying type systems and pred- 
icate logic, that is, a construction of liftings of closed comprehension 
categories from given (underlying) closed comprehension categories and 
posetal fibrations for predicate logic. We give sufficient conditions to lift 
structures such as dependent products, dependent sums, computational 
effects, and recursion from the underlying type systems to dependent 
refinement type systems. We demonstrate the usage of our construction 
by giving semantics to a dependent refinement type system and proving 
soundness. 


1 Introduction 


Dependent refinement types [6] are types equipped with predicates that restrict 
values in the types. They are used to specify preconditions and postconditions 
which may depend on input values and to verify that programs satisfy the speci- 
fications. Many dependent refinement types systems are proposed [5,6,13,14,25] 
and implemented in, e.g., F* [23,24] and LiquidHaskell [19, 26, 27]. 

In this paper, we address the question: “How are dependent refinement type 
systems, underlying type systems, and predicate logic related from the viewpoint 
of categorical semantics?” Although most existing dependent refinement type 
systems are proved to be sound using operational semantics, we believe that 
categorical semantics is more suitable for the general understanding of their 
nature, especially when we consider general computational effects and various 
kinds of predicate logic (e.g., for relational verification). This understanding will 
provide guidelines to design new dependent refinement type systems. 

Our answer to the question is a general semantic construction of dependent 
refinement type systems from underlying type systems and predicate logic. More 
concretely, given a closed comprehension category (CCompC for short) for inter- 
preting an underlying type system and a fibration for predicate logic, we combine 
them to obtain another CCompC that can interpret a dependent refinement type 
system built from the underlying type system and the predicate logic. 
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For example, consider giving an interpretation to the term “ax : {int | x > 
O} Fat: {v: int |v =a2+1}” in a dependent refinement type system. Its 
underlying term is “a : int «+1: int,” and we assume that it is interpreted 
as the successor function of Z in Set. The problem here is how to refine this 
interpretation with predicates. In dependent refinement types, predicates may 
depend on the variables in contexts. In this example, the type “a : {int | z > 
0} F {v : int | v = a+ 1}” depends on the variable x. Thus, the interpretation 
of such types must be a predicate on the context and the type, i.e., 


[z : {int | x > 0}F {u:int|v=a24+1}] = {(z,v)EZxZ|r>0Av=z+1}. 


As a result, the term in the dependent refinement type system is interpreted as 
the interpretation in the underlying type system together with the property that 
if the input satisfies preconditions, then the output satisfies postconditions. 


{xr E Z |x > 0} ----- > {(x, v EZXZ|r>0Av=z+1} 
IN TEE In (1) 
Z = >ZxZ 


x 
vi 


We formalize this refinement process as a construction of {E|P} — E 
liftings of CCompCs, which are used to interpret dependent l |p 
type theories. Assume that we have a pair of a CCompC P— B 
p: E — B for interpreting underlying type systems and a Fig. 1. Lifting. 
fibration q : P > B for predicate logic satisfying certain con- 
ditions. Then we construct a CCompC {E | P} — P for interpreting dependent 
refinement type systems. This construction also yields a morphism of CCompCs 
from {E | P} > P to p : E > Bin Fig. 1. Given the simple fibration s(Set) > Set 
for underlying type systems and the subobject fibration Sub(Set) —> Set for 
predicate logic, then we get interpretations like (1). 

We extend the construction of liftings of CCompCs to liftings of fibred mon- 
ads [1] on CCompCs, which is motivated by the fact that many dependent refine- 
ment type systems have computational effects, e.g., exception (like division and 
assertion), divergence, nondeterminism [25], and probability [5]. Assume that we 
have a fibred monad T on p : E —> B, a monad T on B, and a lifting Torr along 
q : P — B. Under a certain condition that roughly claims that T and T represent 
the same computational effects, we construct a fibred monad on {E | P} > P, 
which is a lifting of T in the same spirit of the given lifting T. This situation is 
rather realistic because the fibred monad Ê on the CCompC p: E > B is often 
induced from the monad T on the base category B. The lifting T of the monad 
T along p : P — B specifies how to map predicates P € Px on values X € B 
to predicates TP € Pry on computations TX, which enables us to express, for 
example, total/partial correctness and may/must nondeterminism [1]. 

We explain the usage of these categorical constructions by giving semantics 
to a dependent refinement type system with computational effects, which is 
based on [4]. Our system also supports subtyping relations induced by logical 
implication. We prove soundness of the dependent refinement type system. 
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Finally, we discuss how to handle recursion in dependent refinement type 
systems. In [4], Ahman gives semantics to recursion in a specific model, i.e., the 
fibration of continuous families of w-cpos CFam(CPO) — CPO. We consider 
more general characterization of recursion by adapting Conway operators for 
CCompCs, which enables us to lift the structure for recursion. We show that 
a rule for partial correctness in our dependent refinement type system is sound 
under the existence of a generalized Conway operator. 

Our contributions are summarized as follows. 


— We provide a general construction of liftings of CCompCs from given CCom- 
pCs and posetal fibrations satisfying certain conditions, as a semantic coun- 
terpart of construction of dependent refinement type systems from under- 
lying type systems and predicate logic. We extend this to liftings of fibred 
monads on the underlying CCompCs to model computational effects. 

— We consider a type system (based on EMLTT [2-4]) that includes most of 
basic features of dependent refinement type systems and prove its soundness 
in the liftings of CCompCs obtained from the above construction. 

— We define Conway operators for dependent type systems. This generalizes 
the treatment of general recursion in [4]. We prove soundness of the typing 
rule for partial correctness of recursion under the existence of a lifting of 
Conway operators. 


2 Preliminaries 


We review basic definitions and fix notations for comprehension categories, which 
are used as categorical models for dependent type theories. We assume basic 
knowledge of fibrations (see e.g. [10]). 

Let p : E> B be a fibration (opfibration). We denote the cartesian (cocarte- 
sian) lifting over u : I > J by U(Y) : wtY > Y (u(X) : X > uX) where 
u* : Ez > Ez (mw : Ey > Ez) is the reindexing (coreindexing) functor. We call 
p:E—>Ba posetal fibration if p i a fibration such that each fibre category is a 
poset. Note that the fibration p : E — B is split and faithful if p is posetal. 

A comprehension category is a functor P : E —> B?” such that the composite 
cod o P : E > B is a fibration and P maps cartesian morphisms to pullbacks in 
B. A comprehension category P is full if P is fully faithful. 

A comprehension category with unit is a fibration p : E > B that has a 
fibred terminal object 1 : B — E and a comprehension functor {—} : E > B 
which is a right adjoint of the fibred terminal object functor 1 4 {—}. Projectio 

x : {X} —> pX is defined by tx = pe for each X € E. Intuitively, 
represents a collection of types T’ F A in dependent type theories; B represents 
a collection of contexts T; p: E — B is the mapping (IF A) 6 T; 1:B—> Eis 
the unit type [+ (I F 1); and {—} is the mapping (I H A) + Ix: A where 
x is a fresh variable. 

The comprehension category with unit p : E —> B induces several structures. 
It induces a comprehension category P defined by PX = mx. The adjunction 


1 B 
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1 + {—} defines the bijection s : E;(17,X) = {f : I > {X} | ax o f = idr} 
between vertical morphisms in E and sections in B. For each X,Y € Ez, we have 
an isomorphism @ : Er x} (1{X}, n% Y) = Er(X, Y). Consider the pullback square 
P(7mx(Y)) where X,Y € Ez. By the universal property of pullbacks, we have the 
symmetry isomorphism oxy : {ty Y} > {nf X} as a unique morphism oxy 
such that ty = {iy (X)} o oxy and {7x(Y)} = Tr x 0 Oxy. Similarly, we 
have the diagonal morphism ôx : {X} —> {rX} as a unique morphism ôy such 
that Tre X O ôx = {ix (X)} oĝx = id, x}. 

Let p : E > B be a comprehension category with unit and q : D —> B be 
a fibration. The fibration q has p-products if my : Dpx — Dx} has a right 
adjoint T% 4 []x for each X € E and these adjunctions satisfy the BC (Beck- 
Chevalley) condition for each pullback square Pf where P is a comprehension 
category induced by p and f is a cartesian morphism in E. Similarly, we define 
p-coproducts by ||, 4 T% and p-equality by Eqy 4 ô% plus the BC condition 
for each cartesian morphism (see [10, Definition 9.3.5] for detail). 

A comprehension category with unit p : E > B admits products (coproducts) 
if it has p-products (p-coproducts). The coproducts are strong if the canonical 
morphism « : {Y} > {]], Y} defined by {7x([]x Y) o n™x7Hx} is an iso- 
morphism for each X € E and Y € Ex}. A closed comprehension category 
(CCompC) is a full comprehension category with unit that admits products and 
strong coproducts and has a terminal object in the base category. A split closed 
comprehension category (SCCompC) is a CCompC such that p is a split fibration, 
and the BC condition for products and coproducts holds strictly (i-e., canonical 
isomorphisms are identities). For example, the simple fibration sg : s(B) + B on 
a cartesian closed category B is a SCCompC (see [10, Theorem 10.5.5]). Another 
example of SCCompCs is the family fibration famget : Fam(Set) — Set. 

Fibred coproducts in a comprehension category with unit p : E —> B are 
strong if the functor ({t1}*,{l2}*) : Egx4y} > Eyx} x Ery} is fully faithful 
where 4): X > X +Y andtg: Y ~ X +Y are injections for fibred coproducts. 
Strong fibred coproducts are used to interpret fibred coproduct types A+ B. 


3 Lifting SCCompCs and Fibred Coproducts 


In this section, we give a construction of liftings of SCCompCs with strong fibred 
coproducts from given SCCompCs with strong fibred coproducts for underlying 
types and posetal fibrations for predicate logic satisfying appropriate conditions. 


3.1 Lifting SCCompCs 


Let p: E> B be a SCCompC for underlying type systems. Let q : P —> B bea 
posetal fibration with fibred finite products for predicate logic. 


Definition 1. We define a category {E | P} by the pullback of gq” : P? > B? 
along P : E > B?” where the comprehension category P is induced by p : E > B. 
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{ 7 | P} UIP D— 


p* (a? ji - la 
~ p> 


That is, objects are tuples (X, P,Q) where X € E, P € Ppx, Q € Pix}, and 
Q < r% P; and morphisms are tuples (f, g, h) : (X, P,Q) > (X’, P’,Q’) where 
f:X—X',g:P—>P',h:Q—>Q,pf= qg, and {f} = qh. 


The intuition of this definition is as follows. For each object (X, P, Q) € {E 
X represents a type l + A in the underlying type system, P represents a 
predicate on the context I’, and Q represents the conjunction of a predicate 
on I,v : A and the predicate P (thus Q < a\P is imposed). Note that 
P*(q?) : {E à is faithful because q is faithful. 

Let {p |q} : {E | P} — P be a functor defined by cod o (q~)*P, that is, 
(X, P,Q) > P. The functor {p | q} inherits most of the CCompC structure of 
p:E-B. 


Lemma 2. The functor {p | q} : {E | P} > P is a split fibration. The cartesian 
lifting of g: P! > P is given by 


(X), 9, {TH(X)}(Q) © T°) : ((ag)"X, P', Wagyex P A X) FQ) > (X, P,Q) 


where n’ is a projection for fibred products. 


Lemma 3. The fibration {p | q} : {E | P} > P is a full comprehension category 
with unit that admits strong coproducts. 


x 


Proof. The main idea is that the structure in the CCompC p : E > B can be 
lifted to {E | P} > P. Here, we only show the definition of (object parts of) fibred 
terminal objects 1 : P — {E | P}, the comprehension functor {—} : {E | P} > P, 
and coproducts [|x po) : {E | P}g > {E | P}p for each (X, P,Q) € {E | P}. 


1P = (1qP, Pap?) {(X,P,Q} =Q [| YQ, R= Mrz ay) 
(X,P,Q) 


The rest of the proof is omitted. 


The existence of products in {p | q} requires additional conditions. 


Lemma 4. Ifq :P — B has fibred exponentials and p-products (in addition to 
fibred finite products), then {p | q} : {E | P} > P admits products. 


Proof. We define [[(x pg) : {E | P}o > {E | P}p by 


I] V.R) = Me LL oi rx Ti nre > {6 TYR). 


(X,P,Q) tigr” 
NË Ile ee 
Q E€ Pixy — 2Y oes Ix ¥ 
g Tiz Yx 
Jan an > P Tle e 


Tix ¥* 


Re Pry} {etx Hx} Te 
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Then, this gives products in {p | q} but we omit the lengthy proof. 


As a result, we get a lifting of SCCompCs over p: E > B. 


Theorem 5. Ifp:E—B is a SCCompC and q : P > [E| P} P* (4?) 

is a fibred ccc that has p-products, then {p | q} : {E | P} > " 7 
P is a SCCompC. Moreover, (P*(q~),q) : {plq} > p is [tein p 
a morphism of SCCompCs, i.e., a split fibred functor that P q 


preserves the CCompC structure strictly. 


Proof. By Lemma 3 and Lemma 4. A terminal object in P exists because B has 
a terminal object and q : P > B has fibred terminal objects. It is almost obvious 
that (P*(q”),q) preserves the structure of CCompCs. 


Example 6. Consider the simple fibration Sget : s(Set) — Set and the sub- 
object fibration subset : Sub(Set) — Set (see [10, §1.3]). Objects in {s(Set) 
Sub(Set)} are tuples ((I, X), P,Q) where (J, X) € s(Set), P C I, and Q C 
Px X C Ix X, and morphisms are those in s(Set) that preserve predicates. In 
{Sset | subset} : {s(Set) | Sub(Set)} — Sub(Set), products are given by 


I] (¢*.¥),9,8) =((LX =Y),P{Gf)elx(X =Y)| 
((1,X),P,Q) 
te PAV2z € X,(i,z)€Q => ((i z), f(z)) € R}). (2) 


Example 7. Let erel : ERel — Set be the fibration of endorelations defined 
by change-of-base from Sub(Set) —> Set along the functor X + X x X. The 
fibration erel is a fibred ccc and has products (i.e. right adjoints of reindexing 
functors that satisfy the BC condition for each pullback square). Therefore, 
erel has p-products for any comprehension category with unit p. If we apply 
Theorem 5 to erel and the simple fibration sget : s(Set) + Set, then products 
are defined similarly to Example 6. 


Example 8. Consider the family fibration famset : Fam(Set) — Set [10, 
Def 1.2.1] and the subobject fibration subget : Sub(Set) — Set. Objects in 
{Fam(Set) | Sub(Set)} are tuples ((1, X), P,Q) where (I, X) € Fam/(Set), 
P C I, and Q C [liep Xi © [l;e Xi. Note that subsets Q C [],-, Xi have 
a one-to-one correspondence with families of subsets (Qi C Xi)ier when we 
define Qi = 17(Q) where u : Xi > JlierXi is the i-th injection. So, we 
often identify Q with the family of subsets Qi C Xi. We get products in 
{famset | subset} : {Fam(Set) | Sub(Set)} — Sub(Set) by modifying (2) for 
dependent functions. 


3.2 Lifting Fibred Coproducts 


A sufficient condition for {p | q} : {E | P} > P to have strong fibred coproducts 
is given by the following lemma, which is analogous to [9, Prop. 4.5.8]. 


Lemma 9. If (1) p: E > B is a CCompC that has strong fibred coproducts 
(2) for each X,Y € Er, X',Y'’ € Ep, u: I —> T, and pair of cartesian liftings 
f:X 3X’ andg:Y —Y' over u, the following two squares are pullbacks 
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{x} px +y) EL fy} 


{fH Lif+9} J49} 

{X} IGEN ix? Y’} AG {Y'} 
(3) q : P > B is a fibred distributive category (4) for each X,Y € Er and 
Z EE x+y}, q has cocartesian liftings of {t1} : {X} > {X +Y}, {ua}: {1Y} > 
{X +Y}, ({u}(Z)} : aZ} > {Z}, and {{12}(Z)} : {12} Z} > {Z} that 
satisfy the BC condition for each pullback squares and Frobenius, then {p | q} : 
{E | P} > P has strong fibred coproducts, and the fibred functor (P*(q~),q) : 
{p | q} > p strictly preserves fibred coproducts. 
Proof. We define fibred coproducts by (X, P, Q)+ (Y, P, R) = (X +Y, P, {4u }:1QV 
{t2} R). We omit the rest of the proof. 


Note that if q is fibred bicartesian closed, then q is a fibred distributive category. 


Example 10. Consider Sset : s(Set) + Set and subset : Sub(Set) > Set (re- 
call Example 6). This combination satisfies four conditions in Lemma 9. Fibred 
coproducts in {s(Set) | Sub(Set)} — Sub(Set) are defined as follows. 


((I, X), P,Q)+ ((I,Y), P, R) = ((I,X +Y), P, {(i,x) | (i£) € QV (i, x) € R}) 


4 Lifting Monads on SCCompCs 


Suppose we have a SCCompC p : E — B and a posetal fibration q : P > B as 
ingredients for {p | q} : {E | P} > P in Theorem 5. We explain how to construct 
a fibred monad on {p | q} : {E | P} > P from monads on p and q. 

First, we assume that a monad T on B and a fibred monad T on p : E > B are 
given. These monads are intended to represent the same computational effects 
in underlying type systems, but T is more “primitive” than fî , and T is induced 
from T in some natural way. For example, we can use the maybe monad or the 
powerset monad on Set as T and define T by (I, X) > (I, TX) on the simple 
fibration s(Set) — Set. In such a situation, we often have an oplax monad 
morphism (Definition 11) 0 : {7(—)} > T{—}. Intuitively, @ extends the action 
of T on types to contexts, just like strengths of strong monads. We also need a 
lifting T of T along q : P > B to specify a mapping from predicates on values in 
X € B to predicates on computations in TX [1]. Given all these ingredients and 
some additional conditions, we define a fibred monad on {p | q} : {E | P} > P 
which is a lifting of the fibred monad T onp:E->B. 


? 


Definition 11 (oplax monad morphism). Let C, D be categories, F : C + D 
be a functor, and (S, n°, u£), (T, n, uT) be monads on C and D, respectively. A 
natural transformation 0 : FS > TF is an oplax monad morphism if 0 respects 
units and multiplications. 


FX T FLX 15, TFSX Z TFX 
rl N Fužļ Lux 
FSX > TFX FSX = » TFX 
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Theorem 12. Let T be a monad on B, T be a fibred monad on p : E + B in 
the 2-category Fibg of fibrations over B, 0 : {T(—)} + T{—} be an oplax monad 
morphism, and T be a fibred lifting [1] of T along q : P > B. If 


Tay P AORTO < OX T (TP AQ) (3) 


holds for each X € E, P € Ppx and Q € Pix}, then there exists a fibred monad 
S on {p |q} : {E | P} > P in Fibp such that the fibred functor {p | q} > p in 
Theorem 5 is a fibred monad morphism from S to T. 


Proof. We define S(X, P,Q) = (ÎX, P, TPN 6*TQ). Then the monad struc- 


ture of T lifts to S. The assumption (3) is required to prove that S is fibred. 


p to 22, Ta 


Ja 


XIE TIXI 


Example 13. Any strong monad T on a CCC B gives rise to a split fibred 
monad T on the simple fibration sg : s(B) > B (actually, there is a one-to-one 
correspondence [10, Ex.2.6.10]). The monad T is defined by (I, X) > (I,TX). 
An oplax monad morphism 6: I x TX — T(I x X) is given by the strength. 
Now consider the case where B = Set. Since the strength for the monad T 
on Set is given uniquely [17, Proposition 3.4], we can prove that (3) holds for 
any fibred lifting of T along the subobject fibration subset : Sub(Set) > Set. 
Let T be the maybe monad (—) + {*}. There are two fibred liftings of T: 


T(P C1 =(P+{}Cl+{s}) B(PCD =(PCI+{+}) 


for each (P C I) € Sub(Set). The lifting T, corresponds to partial correctness, 
and T} corresponds to total correctness. The fibred monads on {sset | subset } 
defined in Theorem 12 from T; and T> are given by 
(T,X), P,Q) = ((1,.X + {*}), P, {(i, x) | (i EPAT= *) V (i, x) € Q}) 
(T,X), P,Q) i? ((1,.X LI {*}), P, {(i, x) | (ir) = Q}) 


respectively. Here, we leave the left/right injection of coproducts implicit. 


Example 14. For each monad T on Set, we have a split fibred monad on 
the family fibration Fam(Set) > Set defined by T(I,X) = (1,T o X). We 
have an oplax monad morphism 0 : Jl;erTXi > T] [iez Xi defined by the 
cotupling [(Tv)ier] : IlierTXi > TI], Xi where u : Xi > [lier Xt is 
the i-th injection. The condition (3) holds for any fibred lifting of T along the 
subobject fibration Sub(Set) — Set. Moreover, we have 26°TQ = TEQ for 


each Q € Sub(Set) 7, _, xi, so the monad in Theorem 12 is given by 


((I, X), P, (Qi Xijier) > ((I,T o X), P, (TQi C TXi)ier). 
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5 Soundness 


We consider a concrete dependent refinement type system with computational 
effects and define sound semantics to show that the SCCompC defined in The- 
orem 5 has sufficient structures for dependent refinement types. Here, we con- 
sider two type systems. One is an underlying type system that is a fragment 
of EMLTT [2-4]. The other is a refinement of the underlying type system that 
has refinement types {v : A | p} and a subtyping relation l F A <: B induced 
by logical implication. The two type systems share a common syntax for terms 
while types are more expressive in the refinement type system. We consider lift- 
ings of fibred adjunction models to interpret the refinement type system. Here, 
Theorem 12 can be used to obtain a lifting of fibred adjunction models via 
Eilenberg-Moore construction. We prove a soundness theorem that claims if a 
term is well-typed in the refinement type system, then the interpretation of the 
term has a lifting along the morphism of CCompCs defined in Theorem 5. 


5.1 Underlying Type System 


We define the underlying dependent type system by a slightly modified version 
of a fragment of EMLTT [2-4]. We remove some of the types and terms from 
the original for simplicity. We parameterize our type system with a set of base 
type constructors (ranged over by b) and a set of value constants (ranged over 
by c) for convenience. 

We define value types (A, B,...), computation types (C,D,...), contexts 
(I,...), value terms (V,W,...), and computation terms (M, N,...) as follows. 


A:=1|ba(V)| Ya:A.B|UC|A+B 

C := FA | Hzx:A.C =|, tA 

V := q | * | ca | (V, W}:4).B | thunk M | inla+s V | inra+p V 

M := return V | M tox: A inc N | forcec V | Av: A.M | M(V)æ:a)c | 
pm V as (x: A,y: B) inz.c M | 
case V of, c (inl (x: A) = M, inr (y : B) = N) 


We implicitly assume that variables in I’ are mutually different. We use many 
type annotations in the syntax of terms for a technical reason, but we might 
omit them if they are clear from the context. We define substitution A|[V/z], 
C|V/z], W[V/az], and M[V/za] as usual. 

For each type constructor b, let arg(b) be a closed value type of the argument 
of b. We write b : A — Type if A = arg(b). For each value constant c, let ty(c) 
be a closed value type of c. 

We have several kinds of judgements: well-formed contexts F I’; well-formed 
(value or computation) types + A, I H C; well-typed (value or computation) 
terms + V: A, + M: C; and definitional equalities for contexts, types and 
terms I, =1>, TFA=B,TFC=D,TFV=W:A,TRFM=AN:C, 

Typing rules are basically the same as EMLTT. Rules for base type construc- 
tors and value constants are shown in Fig. 2 
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b: A Type b: A > Type oF A 
ET oF ty(c) oF A TRV:A r-V=W:A 
P F cyce) : ty(c) Ir ba(V) DF ba(V) = ba(W) 


Fig. 2. Some typing rules for the underlying type system. 


Semantics. We use fibred adjunction models to interpret terms and types. We 
adapt the definition for our fragment of EMLTT as follows. 


Definition 15 (Fibred adjunction models). A fibred adjunction model is a 
fibred adjunction F 4 U : r + p where p : E > B is a SCCompC with strong 
fibred coproducts and r : C > B is a fibration with p-products. 


The Eilenberg-Moore fibration of a CCompC p : E > B inherits products in 
p (2, Theorem 4.3.24] and thus gives an example of fibred adjunction models. 


Lemma 16. Given a SCCompC p : E —> B with strong fibred products and a 
split fibred monad T on p, then the Eilenberg-Moore adjunction of T is a fibred 
adjunction model. 


We assume that a fibred adjunction model F 4 U : r > p between p: E > B 
and r : C > Bis given and that interpretations of base type constructors [b] € E 
and value constants [c] € E,(1,X) (for some X € E;) are given. We define a 
partial interpretation [—] of the following form for raw syntax. 


F 
i 4 C [lr E€ r; Aj € SIr] I; C] € Cyry 
Noy, T; V] € Ep, Ql], A) for some A 
sf i [1; M] € Erg], UC) for some C € C 


Most of the definition of [—] are the same as [2]. For base type constructors b 
and value constants c, we define [—] as follows. 


bY) = GIVI) (is AD sea] = trld 


Here, left-hand sides are defined if right-hand sides are defined. 


Proposition 17 (Soundness). Assume that [b] € Exjo,a]} holds for each b : 
A — Type such that |©; A] is defined, and |c] € E,(1, |e; ty(©)]) holds if fe; ty(c) 
€ E; is defined. Interpretations [—] of well-formed contexts and types and well- 
typed terms are defined. If two contexts, types, or terms are definitionally equal, 
then their interpretations are equal. 


5.2 Predicate Logic 


We define syntax for logical formulas by 


p=T|pAq|p>q|Vc:Ap|V =, W |a(V) 
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PFEV:A TEW:A a: A —> Prop oFA TFEV:A 
[+ V =4 W : Prop It a(V) : Prop 


Fig. 3. Some rules for well-formed predicates. 


where a ranges over predicate symbols. Here, we added T and V =, W for 
typing rule for the unique value of the unit type and variables of base types 
(i.e. for selfification [18]), respectively, which we describe later. However, there 
is a large amount of freedom to choose the syntax of logical formulas. The least 
requirement here is that logical formulas can be interpreted in a posetal fibration 
q : P > B, and interpretations of logical formulas admit semantic weakening, 
substitution, and conversion in the sense of [2, Proposition 5.2.4, 5.2.6]. So, we 
can almost freely add or remove logical connectives and quantifiers as long as 
q:P—B admits them. 

We define a standard judgement of well-formedness for logical formulas. Some 
of the rules for well-formedness are shown in Fig. 3 

Logical formulas are interpreted in the fibration q : P > B. We assume that 
interpretation [a] € Pijo;aj} for each predicate symbol a : A — Prop is given. 
The interpretation |I F p] € Pjrj is standard and defined inductively for each 
well-formed formulas. For example: 


[PF V =4 W] = (812; VI)" (spray LPs WD) Ea; Ald) 


*( 
[PF aV)] = S(r; VI) ir (Lo; AD) F lal 


where a: A — Prop is a predicate symbol and s is the bijection defined in §2. 


5.3 Refinement Type System 


We refine the underlying type system by adding predicates to base types and 
the unit type. From now on, we use subscript A,, for types in the underlying 
type system to distinguish them from types in the refinement type system. 


A= {uv:ba,(V) | p}| {v:1| p}| Ya:A.B|UC|A+B 
C := FA | Hx:A.C T:s=o|I,a:A 


We use the same definition of terms as the underlying type system and the same 
set of base type constructors and value constants. Argument types of base type 
constructors b : A, + Type are also the same, but types ty(c) assigned to value 
constants c are redefined as refinement types. Given a type A (or C) in the 
refinement type system, we define its underlying type |A| (or |C]) by induction 
where predicates are eliminated in the base cases. 


tv: ba (V) |p} = ba V) lt: 1 |p} =1 


Underlying contexts |I| are also defined by |o| = o and |T, æ : A| = |I|,x: |A]. 
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b: Au —> Type ae a IT|- ba, (V) ET IT|- ba, (V) = ba, (W) 
|T|; v : bAu (V) F p: Prop T;v:ba„,(V)|pFq 
TE {v: ba, (V) IP} TF fu: ba, (V) |p} <: fv: bau (W) |a} 
FIy,a:{v:ba,(V) | p}, D2 Lr oF ty(c) 
I,,2:{v:ba,(V) |p}, fob «: {v: ba, (V) |v =x} DF ejtycey| : tyc) 
TF Ag <: Ai Ig} V:A 
Tye: Ar F Ci T,a2:Agh C, <: Cy FI <: I2 IyFA<:B aay 
Dr Mx:A,.C, <: x:A2.C, MmrV:B Te«:f{u:1|T} 
ae a |[|,v: Fp: Prop FF F;v:ijpFa 
Tr {v:1| p} PF {v:1|p} <:{v:1]| g} 


Fig. 4. Some typing rules for the refinement type system. 


Judgements in the refinement type system are as follows. We have judge- 
ments for well-formedness or well-typedness for contexts, types and terms in the 
refinement type system, which are denoted in the same way as the underlying 
type system. We do not consider definitional equalities for terms because they 
are the same as the underlying type system. Instead, we add judgements for sub- 
typing between types and contexts. They are denoted by F I <: I> for context, 
It A <: B for value types, and I H C <: D for computation types. 

Most of term and type formation rules are similar to the underlying type 
system. We listed some of the non-trivial modifications of typing rules in Fig. 4. 
We add typing rules for {v : bg, (V) | p} and {v : 1 | p}. Subtyping for these 
types are defined by judgements I’;v : Au | p F q for logical implication. Here, 
T;v: A, | pF q means “assumptions in I and p implies q” where p and q are 
well-formed formulas in the context |I|,v : Au. We do not specify derivation 
rules for the judgement [';v : Au | p F q but assume soundness of the judge- 
ment (explained later). We allow “selfification” [18] for variables of base types. 
Subtyping for Xz:A.B, UC, FA, and I/x:A.C are defined covariantly except 
the argument type A of ITx:A.C, which is contravariant. We have the rule of 
subsumption. Value constants are typed with a refined type assignment ty(c). 
The unique value * of the unit type has type {v:1]| T}. 


Lemma 18. If we eliminate predicates in the refinement types from well-formed 
contexts, types and terms, then we get well-formed contexts, types and terms of 
the underlying type system. 


— IfF I, then H |I|. If PF A, then |T|} |A|. If PFC, then || |C]. 
— If Ty <: Dh, then H |D] = |R|. Fr A<: B, then |I| + |A| = |B|. If 
PHO <: D, then |T| |G] =)D]. 


Proof. By induction on the derivation of judgements. Each typing rule in the 
refinement type system has a corresponding rule in the underlying system. 


Example 19. We can express conditional branching using the elimination rule 
of the fibred coproduct type 1 + 1. For example, assume we have a base type 
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constructor int : 1 — Type for integers and a value constant for comparison. 
(<): U(Hx:int.My:int.F({v:1| a<y}+{v:1|a>y})) 
We can define if x < y then M else N to be a syntax sugar for 
(x <' y) to z in (case z of (inl v > M, inr v > N)) 


where (<') = force (<). Note that M and N are typed in contexts that have 
v:{v:1|xz<y}orv:{v:1]|x > y} depending on the result of comparison. 


5.4 Semantics 


Definition 20 (lifting of fibred adjunction models). Suppose that we have 
two fibred adjunction models F 4 U : q > p between p : E —> B and q : C > 
and F 4 Ù : s => r between r : U > P and s : D > P. The fibred adjunction 
model F- Ù is a lifting of F 4 U if there exists functors : U > E, v : D > C, 
and t : P + B such that these functors strictly preserve all structures of F 4 Ù 
to those of F 4 U. That is, (u,t) : r > p and (v,t) : s > q are split fibred 
functors, the pair of fibred functor (u,t) and (v,t) is a map of adjunctions in 
the 2-category Fib, (u,t) strictly preserves the CCompC structure and fibred 
coproducts, and (v,t) maps r-products to p-products in the strict sense. 


We assume that a lifting of fibred adjunction models is given as follows. 


F 
| 


z| P} 2 SD {E|P} “cE ay 


È 
I IG | C 
w oA 
pw UL Ù / Lola} | 4 J (4) 
{pla} q p_ 4 
B P P —— B —— B 


Here, we assume more than just a lifting of fibred adjunction models by requiring 
the specific SCCompC {p | q} with strong fibred coproducts, and the split functor 
(u,q) : {p | q} > p defined in Theorem 5 and Lemma 9. The underlying fibred 
adjunction model F 4 U is used for the underlying type system in §5.1, and 
q : P — B is for predicate logic in 85.2. One way to obtain such liftings of 
fibred adjunction models is to apply the Eilenberg-Moore construction to the 
monad morphism in Theorem 12, but in general we do not restrict C and D 
to be Eilenberg-Moore categories. We further assume that q has p-equalities to 
interpret logical formulas of the form V =4 W. 

We define partial interpretation of refinement types [I] € P, [l;A] € 
i | P}irp and H; C] € Djry similarly to the underlying type system but with 
the following modification. Here, we make use of the definition of {E | P}. 


IP; {0 : (V) | PH = (IL VL FL miron EVA T] v : 8) H pl) 
[Ps {v : 1 py = (ULN 1, I] try IA TL). : 1 pl) 


For each (X, P, Q), (X’, P',Q') € {E | P}, we define a semantic subtyping re- 
lation (X, P,Q) <: (X', P',Q') by the conjunction of X = X’, P = P’, and 


~ 
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Q < Q’. In other words, we have (X, P,Q) <: (X’, P’,Q’) if and only if there 
exists a morphism (idx,idp,h) : (X, P,Q) > (X’, P’,Q’) that is mapped to 
identities by u : {E | P} > E and {p | q} : {E | P} > P. 
Lemma 21. — Jf [I] is defined, then [|I|] is defined and equal to q| T]. 

— If |I; A] is defined, then ||I\; |A|] is defined and equal to uf; A]. 

— If [L;C] is defined, then [||I\|;|C|] is defined and equal to v[ I; C]. 


Proof. By simultaneous induction. The case of {v : Au | p} is obvious, and other 
cases follow from the definition of liftings of fibred adjunction models. 


We do not specify syntactic derivation rules for judgement for logical impli- 
cation ';v : A, | p F q. Instead, we assume soundness of I; v : Au | pF q in 
the following sense: Tira LE] A [IT], v : Au F p] < [|T], v : Au F q] holds in 
Pij\r|,v:A,]- For example, we can define a derivation rule for logical implication 
I; v : Ay | pF q from derivation rules for predicate logic T, | p F q (“p implies q 
in the context I”). This is done by collecting predicates in context I" by 


o , o (D) A pla/v] if A= {v : Ay | p} 
aa Peay ie otherwise 


and defining a derivation rule for judgement for logical implication D; v : Au | 
pl q by |L|,u: Ay | (2) Ap F q. If the derivation rules for predicate logic 
I, | pk q is sound (i.e., Tu | pH q implies [Iu F p] < [Iu | q]), then so are the 
derivation rule for l; v : Au | pF q. This technique is used in, e.g., [27]. 


Theorem 22 (Soundness). Assume that [;v : Ay | p F q is sound in the 
sense described above, [b] € Exqo,aj} holds for each b : A — Type if fẹ; A] is 
defined, and |c] € {E | P} (1, [¢;ty(c)]) holds if >; ty(c)] € {E | P}, is defined. 
Then we have the following. 

— IfF T, then [T] € P is defined. IfI A, then [T; A] € {E | P}iry ts defined. 
If Tr C, then [IT; C] € Dir] is defined. 

— IfI <: ID, then [1] < [4] in a fibre category of P. ; 

— Ifr F A <: B, then [P; A] <: [7;B]. Fr C <: D, then U[L;C] <: 
U[L; D]. 

—Iff +t V : A, then there exists a lifting [[;V] : 17] > [L; A] above 
IT|; V] along u : {E |P} > E. fr + M: C, then there exists a lifting 
I; M] : 12] > W; C] above [|L|; M] along u : {E | P} > E. 

Since we have the bijection s : {E | P} (1P, (X, P,Q) > {f :P>Q | 
T(x,P,Q) ° f = idp} for each (X, P,Q) € {E | P}, we obtain liftings of interpre- 
tations of terms along q : P > B. 

Corollary 23. If [+ V : A, then s||I\; V] : IDI] > {[|L]; A] } has a lifting 
s|; V]: [2] > {[L; A]; along q : P > B (and similarly for computation terms 
THM :C): 
Corollary 24. Assume the lifting of fibred adjunction models is given by ap- 
plying the Eilenberg-Moore construction to a lifting of monads in Theorem 12. 
frh M: FA, then @ 0 s||I|; M] : [DI] > T{]|L|; A]} has a lifting of type 
ID] > T{[P; A]} along q : P > 


OW 
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6 Toward Recursion in Refinement Type Systems 


We consider how to deal with general recursion in dependent refinement type sys- 
tems. In [4], Ahman used a specific model of the fibration CFam(CPO) + CPO 
of continuous families of w-cpos to extend EMLTT with recursion. However, we 
need to identify the structure that characterizes recursion to lift recursion from 
the underlying type system to dependent refinement type systems. So, we con- 
sider a generalization of Conway operators [22] and prove the soundness of the 
underlying and the dependent refinement type system extended with typing rules 
for recursion. This extension enables us to reason about partial correctness of 
general recursion. 

Unfortunately, we still do not know an example of liftings of Conway oper- 
ators, although (1) CFam(CPO) — CPO does have a Conway operator and 
(2) the soundness of the refinement type system with recursion holds under the 
existence of a lifting of Conway operators. We leave this problem for future work. 


6.1 Conway Operators 


The notion of Conway operators for cartesian categories is defined in [22]. We 
adapt the definition for comprehension categories with unit. We allow partially 
defined Conway operators because we need those defined only on interpretations 
of computation types. 


Definition 25 (Conway operator for comprehension categories with 
unit). Let p : E — B be a comprehension category with unit and K C E 
be a collection of objects. A Conway operator for the comprehension category 
with unit p defined on K is a family of mappings (—)? : E7(X, X) > E;(1/, X) 
for each X € Ez N K such that the following conditions are satisfied. 


(Naturality) For each X € K, f € Er(X, X), and u: J oJ, u* fi = (u* f}. 
(Dinaturality) For each X,Y € K, f € Er(X,Y), and g € E7(Y,X), (g o 
FP} =g0 (fog). 
(Diagonal property) For each X € K and f € Eix (n4 X, n% X), if TEX € 
K, then (6(Ft))* = (6(6%(6-1(f))))# holds where ¢ : Ep} (1{X}, 7% X) — 
17(X,X) is the isomorphism defined in §2. 


Lemma 26. Let B be a cartesian category. There is a bijective correspondence 
between the following. (1) Conway operators (—)' on the cartesian category 
(2) Conway operators (—)* on the simple comprehension category s(B) > B? 
that are defined totally on s(B). 


Example 27. Let K C CFam(CPO) be a collection of objects defined by 
K ={(U,X) € CFam(CPO) | for each i € I, Xi has a least element}. For each 
(I, X) € K and vertical morphism f = (idz, (fi)ier) : A,X) > (I, X), we define 
ft = (Gdr, (* > lfpfi)ier) : @,1) > (O, X). Then (—)* is a Conway operator, 
which is implicitly used in [4]. 
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EAC T,z:UCFM:C TFC=D IT, z:UCFM=N:C 
Tuts UCM C: IF yas: UC.M = pz: UD.N:C 
TFC T,g:UCFM:C r-e T,x:UC,y:UCFM:C 

I M[|thunk (ux : UC.M)/z] I Fuz : UC py: UC.M 
=px:UC.M:C = ux: UC.M[x/y]: C 


Fig. 5. Typing rules for general recursion. 


6.2 Recursion in the Underlying Type System 


Syntaz. We add recursion px :UC.M to the syntax of computation terms. We 
also add typing rules in Fig. 5. 


Semantics. Assume we have a fibred adjunction model F 4 U : r > p where 
p: E —> B and r : C — B. We need a Conway operator defined on objects in 
{[7;UC] | 2 + C} C E. However, here is a circular definition because [T; UC] 
may contain terms of the form ux : UD.M, whose interpretations are defined 
by the Conway operator. So, we use a slightly stronger condition. 


Definition 28. A Conway operator defined on computation types is a Conway 
operator defined on K C E such that K satisfies the following conditions. (1) 
UFX € K holds for each X € E. (2) [], Y € K holds for each X € E and 
Y € KN Eryx}. (3) For each X € K and Y € E, X SY implies Y € K. 


Given a Conway operator defined on computation types, we interpret ux : 
UC.M by |T; uz : UC.M] = (¢([L,x : UC; M]))* : LL] > ULL; C]. 


Proposition 29. Soundness (Proposition 17) holds for the underlying type sys- 
tem extended with general recursion. 


Proof. By induction. We can prove that the given Conway operator is defined 
on {[7;UC] | T F C} CE by [2, Proposition 4.1.14]. 


6.3 Recursion in Refinement Type System 


Syntax. We add the typing rule for + pax:UC.M : C in Fig. 5 to the refinement 
type system. Here, recall that we remove definitional equalities when we consider 
the refinement type system. 


Semantics. We consider liftings of Conway operators to interpret recursion in 
the refinement type system. 


Definition 30. Let p : E —> B and q : D —> A be comprehension categories 
with unit, (u,v) : p > q be a morphism of comprehension categories with unit. 
Assume q has a Conway operator (—)* defined on K C D. A lifting of the Conway 
operator (—)* along (u,v) is a Conway operator (—)' for p defined on L C E 
such that uL C K and u(f*) = (uf)* for each f € E(X, X) where X € L. 
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Lemma 31. Let (u,v) be a morphism of CCompCs defined in Theorem 5. As- 
sume p: E> B has a Conway operator (—)* defined on K C E. The CCompC 
{E | P} —> P has a lifting of the Conway operator defined on L C {E |P} if 
uL C K and for each (X, P,Q) € L and f € {E | P} p((X, P,Q), (X, P,Q))} 
{ft} has a lifting TipxP > Q along q : P > B. 


Proof. Let (f,idp,h) : (X, P,Q) > (X, P,Q) be a morphism in {E | P} where 
(X,P,Q) € L. We define a Conway operator by (f,idp, h)! = (ft,idp,h’) : 
(1pX, P, ripx P) > (X, P,Q) where h’ is a lifting of {F$}. 


We assume that a lifting of fibred adjunction models (4) together with a 
lifting of Conway operators defined on computation types is given. 


Theorem 32. Soundness (Theorem 22) holds for the refinement type system 
extended with general recursion. 


Consider the fibration CFam(CPO) — CPO for the underlying type system 
with recursion. To support recursion in our refinement type system, a natural 
choice of a fibration for predicate logic is the fibration of admissible subsets 
Adm(CPO) > CPO because the least fixed point of an w-continuous function 
f: X — X is given by lfpf = V„ f?” (L). However, we cannot apply Theorem 5 
because Adm(CPO) > CPO is not a fibred ccc [9, §4.3.2]. Specifically, it is not 
clear whether this combination admits products. We believe that our approach is 
quite natural but leave giving concrete examples of liftings of Conway operators 
for future work. 


7 Related Work 


Dependent refinement types. Historically, there are two kinds of refinement types. 
One is datasort refinement types [7], which are subsets of underlying types but 
not necessarily dependent. The other is index refinement types [28]. A typical 
example of index refinement types is a type of lists indexed by natural num- 
bers that represent the length of lists. Nowadays, the word “refinement types” 
includes datasort and index refinement types, and moreover, mixtures of them. 

Among a wide variety of the meaning of refinement types, we focus on types 
equipped with predicates that may depend on other terms [6,20], which we 
call dependent refinement types or just refinement types. Dependent refinement 
types are widely studied [5,13,14,25], and implemented in, e.g., F* [23,24] and 
LiquidHaskell [19,26,27]. However, most studies focus on decidable type systems, 
and only a few consider categorical semantics. 

We expect that some of the existing refinement type systems are combined 
with effect systems. For example, a dependent refinement type system for non- 
determinism and partial/total correctness proposed in [25] contains types for 
computations indexed by quantifiers Q1Q2 where Q1, Q2 € {V, 3}. Here, Qı rep- 
resents may/must nondeterminism, and Qə represents total/partial correctness. 
It has been shown that Q1Q2 corresponds to four cartesian liftings of the monad 
P,((—) +1) [1,12]. We conjecture that these liftings are connected by monad 
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morphisms and hence yield a lattice-graded monad. Another example is a rela- 
tional refinement type system for differential privacy [5]. Their system seems to 
use a graded lifting of the distribution monad where the lifting is graded by pri- 
vacy parameters, as pointed out in [21]. We leave for future work combining our 
refinement type system with effect systems based on graded monads [8, 11, 15]. 


Categorical semantics. Our interpretation of refinement type systems is based 
on a morphism of CCompCs, which is a similar strategy to [16]. The difference 
is that our paper focuses on dependent refinement types and makes the role 
of predicate logic explicit by giving a semantic construction of refinement type 
systems from given underlying type systems and predicate logic. 

Combining dependent types and computational effects is discussed in [2-4]. 
Although their aim is not at refinement types, their system is a basis for the 
design and semantics of our refinement type system with computational effects. 

Semantics for types of the form {v : Ay | p} are characterized categorically 
as right adjoints of terminal object functors in [10, Chapter 11]. Such types are 
called subset types there. They consider the situation where a given CCompC 
p:E — B is already rich enough to interpret {v : Au | p}, and do not aim to 
interpret refinement type systems by liftings of CCompCs. Moreover, we cannot 
directly use the interpretations in [10] for our CCompC {E | P} —> P because we 
are not given a fibration for predicate logic whose base category is P. 


8 Conclusion and Future Work 


We provided a general construction of liftings of CCompCs from combinations 
of CCompCs and posetal fibrations satisfying certain conditions. This can be 
seen as a semantic counterpart of constructing dependent refinement type sys- 
tems from underlying type systems and predicate logic. We identified sufficient 
conditions for several structures in underlying type systems (e.g. products, co- 
products, fibred coproducts, fibred monads, and Conway operators) to lift to 
dependent refinement type systems. We proved the soundness of a dependent 
refinement type system with computational effects with respect to interpreta- 
tions in CCompCs obtained from the general construction. 

We aim to extend our dependent refinement type system by combining ef- 
fect systems based on graded monads [8, 11,15]. We hope that this extension 
will give us a more expressive framework that subsumes, for example, dependent 
refinement type systems in [5,25]. Another direction is to define interpretations 
of {v : Ay | p} in the style of subset types in [10, Chapter 11]. Lastly, we 
are interested in finding more examples of possible combinations of underlying 
type systems and predicate logic (especially for recursion in dependent refine- 
ment type systems but not limited to this) so that we can find a new practical 
application of this paper. 
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Abstract. We study stochastic games with energy-parity objectives, 
which combine quantitative rewards with a qualitative w-regular condition: 
The maximizer aims to avoid running out of energy while simultaneously 
satisfying a parity condition. We show that the corresponding almost-sure 
problem, i.e., checking whether there exists a maximizer strategy that 
achieves the energy-parity objective with probability 1 when starting at 
a given energy level k, is decidable and in NPM coNP. The same holds 
for checking if such a k exists and if a given k is minimal. 


Keywords: Simple Stochastic Games, Parity Games, Energy Games 


1 Introduction 


Simple stochastic games (SSGs), also called competitive Markov decision processes 
[30], or 25-player games [23]22] are turn-based games of perfect information 
played on finite graphs. Each state is either random or belongs to one of the 
players (maximizer or minimizer). A game is played successively moving a pebble 
along the game graph, where the next state is chosen by the player who owns 
the current one or, in the case of random states, according to a predefined 
distribution. This way, an infinite run is produced. The maximizer tries to achieve 
an objective (in our case almost surely), while the minimizer tries to prevent this. 
The maximizer can be seen as a controller trying to ensure an objective in the 
face of both known random failure modes (encoded by the random states) and 
an unknown or hostile environment (encoded by the minimizer player). 

Stochastic games were first introduced in Shapley’s seminal work [46] in 1953 
and have since then played a central role in the solution of many problems 
in computer science, including synthesis of reactive systems |45]42); checking 
interface compatibility [27]; well-formedness of specifications [28]; verification of 
open systems [4]; and many others. 

A huge variety of objectives for such games was already studied in the 
literature. We will mainly focus on three of them in this paper: parity; mean- 
payoff; and energy objectives. In order to define them we assume that numeric 
rewards are assigned to transitions, and priorities (encoded by bounded non- 
negative numbers) are assigned to states. 
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The parity objective simply asks that the minimal priority that appears 
infinitely often in a run is even. Such a condition is a canonical way to define 
desired behaviors of systems, such as safety, liveness, fairness, etc.; it subsumes 
all w-regular objectives. The algorithmic problem of deciding the winner in non- 
stochastic parity games is polynomial-time equivalent to the model checking of 
the modal p-calculus and is at the center of the algorithmic solutions to the 
Church’s synthesis problem [44]. But the impact of parity games goes well beyond 
automata theory and logic: They facilitated the solution of two long-standing 
open problems in stochastic planning [29] and in linear programming [32], which 
was done by careful adaptation of the parity game examples on which the strategy 
improvement algorithm requires exponentially many iterations. 

The parity objective can be seen as a special case of the mean-payoff ob- 
jective that asks for the limit average reward per transition along the run to 
be non-negative. Mean-payoff objectives are among the first objectives studied 
for stochastic games and go back to a 1957 paper by Gillette [33]. They allow 
for reasoning about the efficiency of a system, e.g., how fast it operates once 
optimally controlled. 


The energy objective can be seen as a refinement of the mean-payoff 
objective. It asks for the accumulated reward at any point of a run not to be 
lower than some finite threshold. As the name suggests, it is useful when reasoning 
about systems with a finite initial energy level that should never become depleted. 
Note that the accumulated reward is not bounded a-priori, which essentially 
turns a finite-state game into an infinitely-state one. 

In this paper we consider SSGs with energy-parity objectives, which requires 
runs to satisfy both an energy and a parity objective. It is natural to consider 
such an objective for systems that should not only be correct, but also energy 
efficient. For instance, consider a robot maintaining a nuclear power plant. We 
not only require the robot to correctly react to all possible chains of events 
(parity objective for functional correctness), but also never to run out of energy 
as charging it manually would be risky (energy objective). 

While the complexity of games with single objectives is often in NP N coNP, 
asking for multiple objectives often makes solving games harder. Parity games 
are commonly viewed as the simplest of these objectives, and some traditional 
solutions for non-stochastic games go through simple reductions to mean-payoff or 
energy conditions (which are quite similar in non-stochastic games) to discounted 
payoff games that establishes the membership of those problems in UP and coUP 
35|. However, asking for two parity objectives to be satisfied at the same time 
leads to coNP completeness [21]. 

We study the almost sure satisfaction of the energy-parity objective, i.e., 
with probability 1. Such qualitative analysis is important as there are many 
applications where we need to know whether the correct behavior arises almost- 
surely, e.g., in the analysis of randomized distributed algorithms (see, e.g, [43]47]) 
and safety-critical examples like the one from above. Moreover, the algorithms 
for quantitative analysis, i.e., computing the optimal probability of satisfaction, 
typically start by performing the qualitative analysis first and then solving a 
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game with a simpler objective (see, e.g., [23/15]). Finally, there are stochastic 
models for which qualitative analysis is decidable but quantitative one is not 
(e.g., probabilistic finite automata [6]). This may also be the case for our model. 


Our contributions. We consider stochastic games with energy-parity winning 
conditions and show that deciding whether maximizer can win almost-surely for 
a given initial energy level k is in NP McoNP. We show the same for checking if 
such k exists at all and checking if a given k is the smallest possible for which this 
holds. The proofs are considerably harder than the corresponding result for MDPs 
[40] (on which they are partly based), because the attainable mean-payoff value 
is no longer a valid criterion in the analysis (via combinations of sub-objectives). 
E.g., even though the stored energy might be inexorably drifting towards +00 
(resp. —oo), the mean-payoff value might still be zero because the minimizer 
(resp. maximizer) can delay payoffs for longer and longer (though not indefinitely, 
due to the parity condition). Moreover, the minimizer might be able to choose 
between different ways of losing and never commit to any particular way after 
any finite prefix of the play (see Example[Ih. 

Our proof characterizes almost-sure energy-parity via a recursive combination 
of complex sub-objectives called Gain and Bailout, which can each eventually be 
solved in NP N coNP. 

Our proof of the coNP membership is based on a result on the strategy 
complexity of a natural class of objectives, which is of independent interest. We 
show (cf. Theorem [6] based on previous work in [34]) that, if an objective O is 
such that its complement is both shift-invariant and submixing, and that every 
MDP admits optimal finite-memory deterministic maximizer strategies for O, 
then the same is true in turn-based stochastic games. 


Example 1. Fig.|1)shows an energy-parity game that the maximizer can win 
almost surely when starting with an energy level of > 2 from the middle left 
node. Whenever the game is at that node with an energy level > 3, then the 
maximizer can turn left and has at least 4 chance that the energy level will 
never drop to 2 while wining the game with priority 2. This is because we can 


Fig. 1: A SSG with two maximizer states (O), one minimizer state (©) and one 
probabilistic state (O). Each state is annotated with its priority. Each edge is 
annotated with a reward by which the energy level is increased after traversing 
it (respectively, decreased if the reward is negative). The maximizer wins if the 
lowest priority visited infinitely often is even and the energy level never drops 
below 0. 
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view this process as a random walk on a half line. If x, is the probability of 
reaching energy level 2 when starting at energy n then these probabilities are 
the least point-wise positive solution to the following system of linear equations: 
r= 1, Trn = Zany + itni for all n > 3. We then get that £n = —— so the 
probability of not reaching energy level 2 is > 4 for all n > 3. Always turning left 
guarantees that, almost surely, the parity condition holds and the limes inferior 
of the energy level is not —oo. We call this condition Gain. Strategies for Gain 
can be used when the energy level is sufficiently high (at least 3 in our example) 
to win with a positive probability. 

However, if maximizer plays for Gain and always moves left, then for every 
initial energy level the chance of eventually dropping the energy down to level 2 
is positive, due to the negative cycle. When that happens, the only other option 
for the maximizer is to move right. There minimizer can ‘choose how to lose’, 
via a disjunction of two conditions that we later formalize as Bailout. Either 
minimizer goes back to the start state without changing the energy level (thus 
maximizer wins as the energy stays at level 2 and only the good priority 2 is 
seen), or minimizer turns right. In the latter case, the play visits a dominating 
odd priority (which is bad for maximizer) but also increases the energy by 1, 
which allows maximizer to switch back to playing left for the Gain condition 
until energy level 2 is reached again. 

Our maximizer strategies are a complex interplay between Bailout and Gain. 
In the example, it is easy to see that the probability of seeing priority 1 infinitely 
often is zero if maximizer follows the just described strategy (the probability 
of requiring to go right more than n times is at most ($)”), so maximizer wins 
this energy-parity game almost surely. Note that maximizer does not win almost 
surely when the initial energy level is 0 or 1. 


Previous work on combined objectives. Non-stochastic energy-parity games 
have been studied in (16|. They can be solved in NP N coNP and maximizer 
strategies require only finite (but exponential) memory, a property that also 
allowed to show P-time inter-reducibility with mean-payoff parity games. More 
recently they were also shown to be solvable in pseudo-quasi-polynomial time [26]. 
Related results on non-stochastic games (e.g., mean-payoff parity) are summarized 
in [18]. 

Most existing work on combined objectives for stochastic systems, for example 
T7{189[40], is restricted to Markov decision processes (MDPs; aka 14-player 
games). Almost-sure energy-parity objectives for MDPs were first considered in 
, where a direct reduction to ordinary energy games was proposed. This 
reduction relies on the assumption that maximizer can win using finite memory 
if at all. Unfortunately, this assumption does not necessarily hold: it was shown 
in [40] that an almost sure winning strategy for energy-parity in finite MDPs 
may require infinite memory. Nevertheless, it was possible to recover the original 
result, that deciding the existence of a.s. winning strategies is in NP N coNP 
(and pseudo-polynomial time), by showing that the existence of an a.s. winning 
strategy can be witnessed by the existence of two compatible, and finite-memory, 
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winning strategies for two simpler objectives. We generalize this approach from 
MDPs to full stochastic games. 

Stochastic mean-payoff parity games were studied in [20], where it was shown 
that they can be solved in NPMcoNP. However, this does not imply a solution for 
stochastic energy-parity games, since, unlike in the non-stochastic case [16], there 
is no known reduction from energy-parity to mean-payoff parity in stochastic 
games. (The reduction in relies on the fact that maximizer has a winning finite- 
memory strategy for energy-parity, which does not generally hold for stochastic 
games or MDPs; see above.) 

A related model are the 1-counter MDPs (and stochastic games) studied in 
(12]71]8], since the value of the counter can be interpreted as the stored energy. 
These papers consider the objective of reaching counter value zero (which is 
dual to the energy objective of staying above zero), thus the roles of minimizer 
and maximizer are swapped. However, unlike in this paper, these works do not 
combine termination objectives with extra parity conditions. 


Structure of the paper. The rest of the paper is organized as follows. We 
start by introducing the notation and formal definitions of games and objectives 
in the next section. In Section ] we show how checking almost-sure energy-parity 
objectives can be characterized in terms of two newly defined auxiliary objectives: 
Gain and Bailout. In Sections [4]and [5] we show that almost-sure Bailout and 
Gain objectives, respectively, can be checked in NP and coNP. Section [6] contains 
our main result: NP and coNP algorithms for checking almost-sure energy-parity 
games with a known and unknown initial energy, as well as checking if a given 
initial energy is the minimal one. We conclude and point out some open problems 
in Section [7] Due to page restrictions, most proofs in the main body of the paper 
were replaced by sketches. The detailed proofs can be found in the full version of 


this paper [4]]. 


2 Preliminaries 


A probability distribution over a set X is a function f : X — [0,1] such that 
Szex f(x) = 1. We write D(X) for the set of distributions over X. 


Games, Strategies, Measures. A Simple Stochastic Game (SSG) is a directed 
graph G = (V, E,A), where all states have an outgoing edge and the set of 
states is partitioned into states owned by maximizer (Vo), minimizer (Vo) and 
probabilistic states (Vo). The set of edges is E CV x V and à : Vo > D(E) 
assigns each probabilistic state a probability distribution over its outgoing edges. 
W.l.o.g., we assume that each probabilistic state has at most two successors, 
because one can introduce a new probabilistic state for each excess successor. We 
let \(ws) = A(s) for all ws € (VE)*Vo. 

A path is a finite or infinite sequence p = sgegsje,... such that e; = 
(Si, 5:41) E€ E holds for all indices i. A run is an infinite path and we write 


def 


Runs = (V E)” for the set of all runs. 
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A strategy for maximizer is a function o : (VE)*V4 > D(E) that assigns 
to each path ws € (V E)*Va a probability distribution over the outgoing edges 
of its target node s. That is, o(ws)(e) > 0 implies e = (s,t) € E for some 
t € V. A strategy is called memoryless if o(as) = a(ys) for all x,y € (VE)* 
and s € Vp, deterministic if o(w) is Dirac for all w € (VE)*Vp, and finite-state 
if there exists an equivalence relation ~ on (VE)*Vq with a finite index, such 
that o(p1) = o(p2) if pı ~ po. Of particular interest to us will be the class 
of memoryless deterministic strategies (MD) and the class of finite-memory 
deterministic strategies (FD). Strategies for minimizer are defined analogously 
and will usually be denoted by 7 : (VE)*Vo > D(E). 

A maximizing (minimizing) Markov Decision Process (MDP) is a game in 
which minimizer (maximizer) has no choices, i.e., all her states have exactly one 
successor. We will write G[r] for the MDP resulting from fixing the strategy T. A 
Markov chain is a game where neither player has a choice. In particular, Glo, 7] is 
a Markov chain obtained by setting, in the game G, the strategies for maximizer 
and minimizer to o and 7, respectively. 

Given an initial state s € V and strategies ø and 7 for maximizer and 
minimizer, respectively, the set of runs starting in s naturally extends to a 
probability space as follows. We write Runs? for the w-cylinder, i.e., the set of all 
runs with prefix w € (VE)*V. We let F? be the o-algebra generated by all these 
cylinders. We inductively define a probability function P¢:77 on all cylinders, 
which then uniquely extends to F? by Carathéodory’s extension theorem [5], by 
setting P97 (Runs?) = 1 and P997 (Runs?) = i, dist;(S9e051€1 . . . si) (e;) 
for W = S9€981€1.--€n—18n, Where so = s, ei = (Si, Si+1) and dist; is o(-), T(-) 
or X(-), for s; € Va, Vo or Vo, respectively. 


Objective Functions. A (Borel) objective is a set Obj € FY of runs. We write 


Obj = Runs \ Obj for its complement. Borel objectives Obj are weakly determined 
, which means that 


sup inf P97 (Obj) = inf sup PẸ” (Obj). 


This quantity is called the value of Obj in state s, and written as Valf (Obj). We 
say that Obj holds almost-surely (abbreviated as a.s.) at state s iff there exists 
o such that Yr, P97 (Obj) = 1. Let ASY (Obj) denote the set of states at which 
Obj holds almost surely. We will drop the superscript G and simply write Runs, 
P27 and AS (Obj), if the game is clear from the context. 

We use the syntax and semantics of operators F (eventually) and G (always) 
from the temporal logic LTL to specify some conditions on runs. 


A reachability condition is defined by a set of target states T C V. A run 
p = S9€081... satisfies the reachability condition iff there exists an i € N s.t. 
si € T. We write FT C Runs for the set of runs that satisfy this reachability 
condition. Given a set of states W C V, we lift this to a safety condition on runs 
and write GW C Runs for the set of runs p = sgegs,... where Vi. s; E€ W. 
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A parity condition is given by a bounded function parity : V > N that assigns 
a priority (a non-negative integer) to each state. A run p € Runs satisfies the 
parity condition iff the minimal priority that appears infinitely often on the run 
is even. The parity objective is the subset PAR C Runs of runs that satisfy the 
parity condition. 

Energy conditions are given by a function r: E —> Z, that assigns a reward 
value to each edge. For a given initial energy value k € N, a run sgeos1e€1... 
satisfies the k-energy condition if, for every finite prefix of length n, the energy 
level k + 57, r(ei) is greater or equal to 0. Let EN(k) C Runs denote the 
k-energy objective, consisting of those runs that satisfy the k-energy condition. 

The l-storage condition holds for a run soeos1e1 ... ifl ID r(Si, Si+1) > 0 
holds for every infix $m€mSm41--- Sn- Let ST (k,l) C Runs denote the k-energy 
l-storage objective, consisting of those runs that satisfy both the k-energy and 
the l-storage condition. We write ST (k) for U, ST(k, l). Clearly, ST (k) C EN(k). 


Mean-payoff and limit-payoff conditions are defined w.r.t. the same reward 
function as the energy conditions. The mean-payoff value of a run p = soeos1€1 ... 
is MP(p) = liminfnoo aay r(é;). For A € {>,2,=,<,<} and c € RU 
{—co, co}, the set MP(Ac) C Runs consists of all runs p with MP(p)Ac. Let 
LimInf(Ac) C Runs contain all runs p with (liminf,_,.. X ;—o r(e;))Ac, and 
likewise for LimSup(Ac). 

The combined energy-parity objective EN(k) N PAR is Borel and therefore 
weakly determined, meaning that it has a well-defined (inf sup = sup inf) value 
for every game [39]38]. Moreover, the almost-sure energy-parity objective (asking 
to win with probability 1) is even strongly determined [37]: either maximizer has 
a strategy to enforce the condition with probability 1 or minimizer has a strategy 
to prevent this. 


3 Characterizing Energy-Parity via Gain and Bailout 


The main theorem of this section (Theorem [5) characterizes almost sure energy- 
parity objectives in terms of two intermediate objectives called Gain and k-Bailout 
for parameters k > 0. This will form the basis of all computability results: we 
will show (as Theorems[14} [17] and [18} how to compute almost-sure sets for these 
intermediate objectives. 


Definition 2. Consider a finite SSG G = (V, E, A), as well as reward and parity 
functions defining the objectives PAR, LimInf(> —co), LimSup(= oo) as well as 
ST(k,1) and EN(k) for every k,l € N. We define combined objectives Gain and 


k-Bailout # U;,Bailout(k,1) where 
Gain 2 LimInf(> —oo) N PAR 
Bailout(k,/) =  (ST(k,l) n PAR) U (EN(k) N LimSup(= 0o)). 


The main idea behind these two objectives is a special witness property for 
energy-parity. We argue that, if maximizer has an almost-sure winning strategy 
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for energy-parity then he also has one that combines two almost-sure winning 
strategies, one for Gain and one for k-Bailout. 

Notice that playing an almost-sure winning strategy for Gain implies a uni- 
formly lower-bounded strictly positive chance that the energy level never drops 
below zero (assuming it is sufficiently high to begin with). This fact uses the 
finiteness of the set of control-states and does not hold for infinite-state MDPs. In 
the unlikely event that the energy level does get close to zero, maximizer switches 
to playing an almost sure winning strategy for k-Bailout. This is a disjunction of 
two scenarios, and the balance might be influenced by minimizer’s choices. In the 
first scenario (ST(k,1)M PAR) the energy never drops much and stays above zero 
(thus satisfying energy-parity). In the second scenario, (EN(k) N LimSup(= oo)), 
the parity objective is temporarily suspended in favor of boosting (while always 
staying above zero) the energy to a sufficiently high level to switch back to the 
strategy for Gain and thus try again from the beginning. The probability of 
infinitely often switching between these modes is zero due to the lower-bounded 
chance of success in the Gain phase. Therefore, maximizer eventually wins by 
playing for Gain. Note that maximizer needs to remember the current energy 
level in order to know when to switch and consequently, this strategy uses infinite 
memory. 


Example 3. Consider again the game in Fig. |1| The middle left state satisfies 
both Gain and k-Bailout objectives for all k > 2 almost-surely. The respective 
winning strategies are to always go left for Gain or always go right for k-Bailout 
when at that state. Note that it neither satisfies 0-Bailout nor 1-Bailout objectives. 


We define the subset W C V of states from which maximizer can almost 
surely win both Gain and k-Bailout (assuming sufficiently high initial energy), 
while at the same time ensuring that the play remains within this set of states. 
These are the states from which maximizer can win by freely combining individual 
strategies for the Gain and Bailout objectives. 


Definition 4. Given a finite SSG G = (V, E, A), let W C V be the largest subset 
of states satisfying the following condition 


W CAS (Gainn GW) N | JAS (k-Bailout n GW) 
k 


This condition describes a fixed-point, and as it is easy to see that if two 
sets W and W2 are such fixed-points, then so is Wı U W2. Thus, the maximal 
fixed-point W is well-defined. 


Our main characterization of almost-sure energy-parity objectives is the 
following Theorem [5] It states that maximizer can almost surely win an EN(k) A 
PAR objective if, and only if, he can win the easier k-Bailout objective while 
always staying in the safe set W. 


Theorem 5. For every k € N, AS (EN(k) N PAR) = AS (k-Bailout Nn GW). 
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Our proof of this characterization theorem relies on the following claim, which 
allows to lift the existence of finite-memory deterministic optimal strategies from 
MDPs to SSGs. It applies to a fairly general class of objectives and, we believe, 
is of independent interest. 


Recall that Obj = Runs \ Obj denotes the complement of objective Obj. For 
runs a,b,c € Runs we say that a is a shuffle of b and c if there exist factorizations 
b = bobby... and c = coc,... such that a = bocobic, .... An objective Obj is 
called submizing if, for every run a € Obj that is a shuffle of runs b and c, either 
b € Obj or c € Obj. Obj is shift-invariant if, for every run s1€152e2..., it holds 
that s1e1s2€2... € Obj = s2e2... € Obj. Shift-invariance slightly generalizes 
the better-known tail condition (see [34] for a discussion). 


Theorem 6. Let O be an objective such that O is both shift-invariant and 
submixing. If maximizer has optimal FD strategies (from any state s) for O for 
every finite MDP then maximizer has optimal FD strategies (from any state s) 
for O for every finite SSG. 


This applies in particular to the Gain objective, but not to k-Bailout objectives, 
as these are not shift-invariant. A proof of Theorem [6]can be found in [4]]. It 
uses a recursive argument based on the notion of reset strategies from [34]. 

The remainder of this section is dedicated to proving Theorem |5| We will 
first collect the remaining technical claims about Gain, Bailout, and reachability 
objectives. Most notably, as Lemma [8] we show that if maximizer can almost 
surely win Gain in a SSG, then he can do so using a FD strategy which moreover 
satisfies an energy-parity objective with strictly positive (and lower-bounded) 
probability. This is shown in part based on Theorem [6] applied to the Gain 
objective. We will also need the following fact about reachability objectives in 
finite MDPs. 


Lemma 7 ([8, Lemma 3.9]). Let M be a finite MDP and Reachry be the 
reachability objective with target T = {s' | Val,,(LimInf(= —oo)) = 1}. One can 
compute a rational constant c < 1 and an integer h > 0 such that for all states s 


andi > h we have Vr.P7(EN(i) N Reachr) < 


1-—c* 
Lemma 8. Consider a finite SSG G = (V, E, A) where Gain holds a.s. for every 


state s E€ V. Then, for every ô € [0,1) and s € V, there exists a k €N and an 
FD strategy ô s.t. 


1. Yr. P27 (Gain) = 1, and 
2. Yr. PÊ: (EN(k) N PAR) > ô. 


Proof. Fix a ô € [0,1) and a state s € V. Both LimInf(= —oo), as well as PAR 
objectives are shift-invariant and submixing, and therefore also the union has 
both these properties. It follows that Gain = LimInf(> —oo) N PAR = LimInf(= 
—oo) U PAR is both shift-invariant and submixing, since the complement of a 
parity objective is also a parity objective. By Lemma [I6]and Theorem [6] there 
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exists an almost-sure winning FD strategy o for maximizer for the objective Gain 
from s, i.e., Wr. P27 (Gain) = 1, thus yielding Item [1] 

Let M be the MDP obtained from G by fixing the strategy ô for maximizer 
from s. Since G is finite and ô is FD, also M is finite. In M we have Vr. P7 (Gain) = 
1. In particular, in M, the set T = {s’ | Val,,(Limlnf(=—oo)) = 1} is not 
reachable, i.e., Yr. P7 (Reach) = 0. 

By Lemma|7| in M there exists a horizon h € N and a constant c < 1 such that 
for all i > h we have Vr. PZ (EN(i) A Reachr) < a Since T cannot be reached 


in M, the condition Reachr evaluates to true and we have Vr. P7 (EN(i)) > 
1— -&. Since c < 1 and 6 < 1, we can pick a sufficiently large k > h such 


=g" 
that 1 — Š > 6 and obtain Vr.P7(EN(k)) > 5 in M. Moreover, the above 
property Vr. P7 (Gain) = 1 in particular implies Y7. P7 (PAR) = 1. Thus we obtain 
Yr. P7 (EN(Å) N PAR) > 6 in M. 

Back in the SSG G, we have Yr. Pê" (EN(Å) N PAR) > 6 as required for 
Item P] 


Lemma 9. EN(k) A PAR C k-Bailout. 


Proof. Let p be a run in EN(k) 7 PAR. There are two cases. In the first case 
we have p € UST (k,l) A PAR and thus directly p € k-Bailout. Otherwise, p ¢ 
U:ST(k&, )APAR. Since p € PAR, we must have p ¢ U;ST(k, 1). Since p € EN(K), it 
follows that p does not satisfy the /-storage condition for any | € N. So, for every 
l € N, there exists an infix p’ of ps.t.1+r(p’) < 0. Let p” be the prefix of p before 
p’. Since p € EN(k) we have k+r(p”p') > 0 and thus r(p”) > —k—r(p’) > —k4+1. 
To summarize, if p ¢ U;ST(k,1) N PAR then, for every J, it has a prefix p” with 
r(p”) > —k +1. Thus p € LimSup(= 00). Thus p € k-Bailout. 


We now define W’ as the set of states that are almost-sure winning for 
energy-parity with some sufficiently high initial energy level. (W’ is also called 
the winning set for the unknown initial credit problem.) 


Definition 10. W’ # U, AS (EN(k) N PAR). 
Lemma 11. 


1. AS (EN(k) N PAR) C AS (Gain n GW’) 
2. AS (EN(k) N PAR) C AS (k-Bailout n GW’) 


Proof. Let s € AS (EN(&) Q PAR) and o a strategy that witnesses this property. 
Except for a null-set, all runs p = segsje1...€n—1Sn-.-. from s induced by ø 
satisfy EN(k) N PAR. 

Let p’ = segs,e1...Sm be a finite prefix of p. For every n > 0 we have 
k + oa r(e;) > 0, since p € EN(k). In particular this holds for all n > m. 
So, for every n > m, we have k + 52o" r(ei) + 27) r(e:) > 0. Therefore 
Sm € AS (EN(k’) O PAR), where k’ = k + X5" r(e:), as witnessed by playing 
o with history seos1€1 ... Sm from sm. Thus sm E (J, AS (EN(k) A PAR) = W”, 
i.e., almost all o-induced runs p satisfy GW’. 
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Towards Item [I] we have EN(k) C LimInf(> —oo) and thus EN(&) M PAR C 
LimInf(> —oo) N PAR = Gain. Therefore ø witnesses s € AS (Gain N GW’). 

Towards Item [2] we have EN(k) A PAR C k-Bailout by Lemma [9| Thus o 
witnesses s € AS (k-Bailoutn GW’). 


Lemma 12. W' CW. 


Proof. It suffices to show that W” satisfies the monotone condition imposed on 
W (cf. Definition|4), since W is defined as the largest set satisfying this condition. 

Let s € W' = U, AS (EN(k) N PAR). Then s € AS (EN() N PAR) for some 
fixed k. By Lemma fra) we have s € AS (Gain N GW’). By Lemma [x1}2) we 
have s € AS (i-Bailout N cw’) C U, AS (k-Bailout N GW’). 


Proof of T heorem|5} Towards the C inclusion, we have 
AS (EN(k) N PAR) C AS (k-Bailout A GW’) C AS (k-Bailout N GW) 


by Lemmaf1i{2) and Lemma [12] 


Towards the 2 inclusion, let s € AS (k-Bailout n GW) and gı be a strategy 
that witnesses this. We show that s € AS (EN(k) N PAR). We now consider the 
modified SSG G’ = (W, E, A) with the state set restricted to W. In particular, 
s € W and gı witnesses s € AS (k-Bailout) in G’. We now construct a strategy o 
that witnesses s € AS (EN(k) N PAR) in G’, and thus also in G. The strategy o 
will use infinite memory to keep track of the current energy level of the run. 

Apart from g1, we require several more strategies as building blocks for the 
construction of o. 

First, in G we had Vs’ € W.s’ € AS (Gain N GW), and thus in G’ we have 
Ys’ € W. s’ € AS (Gain). For every s’ € W we instantiate Lemma [8] for G’ with 
6 = 1/2 and obtain a number kg and a strategy ôs with 


1. Vr. p?s"°7 (Gain = 1, and 
2. Yr. P?” (EN(ks:) N PAR) > 1/2. 


s! 


Let kı = max{k,: | s’ € W}. The strategies 6, are called gain strategies. 

Second, by the finiteness of V, there is a minimal number kə such that 
U; AS (k-Bailout N GW) = U,<;, AS (k-Bailout N GW) in G. Therefore, in G’ we 
have that 


W C |_JAS (k-Bailout) = (_) AS (k-Bailout) = AS (k2-Bailout) . 
k k<kə 


Thus in G’ for every s’ € W there exists a strategy gs with Vr. p?” 7 (ko-Bailout) = 


1. The strategies G, are called bailout strategies. Let k’ © kı + k — k +1. We 
now define the strategy o. 


Start: First o plays like cı from s. Since gı witnesses s € AS (k-Bailout) against 
every minimizer strategy T, almost all induced runs p = segs €1... satisfy 
either 
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(A) (U;ST(k,1) N PAR), or 
(B) (EN(k) A LimSup(= oo)). 


Almost all runs p of the latter type (B) (and potentially also some runs of 
type (A)) satisfy EN(k) and Sio r(e;) > k’ eventually for some l. If we 
observe a r(e;) > k’ for some prefix seos1e1 . . . e19" of the run p then our 
strategy o plays from s’ as described in the Gain part below. Otherwise, if 
we never observe this condition, then our run p is of type (A) and o continues 
playing like g1. Since property (A) implies (EN(k) A PAR), this is sufficient. 


Gain: In this case we are in the situation where we have reached some state s’ 


after some finite prefix p’ of the run, where r(p’) > k’. Our strategy o now 
plays like the gain strategy ôs, as long as r(p’) > k’ — kı holds for the current 
prefix p’ of the run. By Item] this will satisfy Vr. PS7 T(EN(ks:) PAR) > 1/2 
and thus Vr. PS7” (EN(k1) N PAR) > 1/2. It follows that with probability 
> 1/2 we will keep playing ĉs forever and satisfy PAR and always r(p') > 
k' — kı and thus EN(k), since k + r(p') >k +k’ — kı = k2 +1 > 0. 
Otherwise, if eventually r(p') = k’ — kı — 1 then we have k + r(p') = kg. In 
this case (which happens with probability < 1/2) we continue playing as 
described in the Bailout part below. 


Bailout: In this case we are in the situation where we have reached some 


state s” € W after some finite prefix p' of the run, where k + r(p') = kə. 
Since s” € W, we can now let our strategy o play like the bailout strategy 
Gs” and obtain Y7. P25" (k2-Bailout) = 1. Thus almost all induced runs 
p” = segs ,e,... from s” satisfy either 


(A) (UiST(k2, 1) N PAR), or 
(B) (EN(k2) N LimSup(= oo). 


As long as r(p') < k’ holds for the current prefix p' of the run, we keep 
playing o,”. Otherwise, if eventually r(p’) > k’ holds, then we switch back 
to playing the Gain strategy above. All the runs that never switch back to 
playing the Gain strategy must be of type (A) and thus satisfy PAR. Since 
we have k2-Bailout C EN(k2), it follows that, for every prefix p” of the run 
from s”, according to 6,” we have k2 + r(p”) > 0. Thus, for every prefix p” 
of p, we have k + r(p") =k+r(p')+ r(p") = ko + r(p”) > 0. Therefore, the 
EN(k) objective is satisfied by all runs. 


As shown above, almost all runs induced by o that eventually stop switching 
between the three modes satisfy EN(k) N PAR. Switching from Gain/Bailout to 
Start is impossible, but switching from Gain to Bailout and back is possible. 
However, the set of runs that infinitely often switch between Gain and Bailout is 
a null-set, because the probability of switching from Gain to Bailout is < 1/2. 


Thus, ø witnesses s € AS (EN(k) N PAR). 
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Remark 13. It follows from the results above that W” = W. The C inclusion 
holds by Lemma|[12] For the reverse inclusion we have 


W CLAS (k-Bailout n GW) by Definition ff] 
k 
= JAS (EN(k) N PAR) by Theorem B] 
k 
=W' by Definition [10] 
4 Bailout 


In this section we will argue that it is possible decide, in NP and coNP, whether 
the bailout objective can be satisfied almost surely. More precisely, we show the 
existence of procedures to decide if, for a given k € N and state s, there exists 
an l € N such that s almost-surely satisfies the Bailout(k,/) objective 


Bailout(k,/) =  (ST(k,1) N PAR) U (EN(k) N LimSup(= 0o)). 


Recall that the idea behind the Bailout objective is that, during a game 
for energy-parity, maximizer is temporarily abandoning the parity (but not the 
energy) condition in order to increase the energy to a sufficient level (which 
will then allow him to try an a.s. strategy for Gain once more). However, in a 
stochastic game — as opposed to an MDP [40] — an opponent could possibly 
prevent this increase in energy level at the expense of satisfying the original 
energy-parity objective in the first place (cf. Example (i). The Bailout objective 
is designed to capture the disjunction of both outcomes, as both are favorable 
for the maximizer. The parameter k is the acceptable total energy drop (i.e., the 
initial value), and the parameter I is the acceptable energy drop on any infix of 
a play, which translates to the upper bound on the energy level in the second 
outcome. 


The question can be phrased equivalently as membership of a control state s 
in the almost-sure set for the k-Bailout objective for a given game G and energy 
level k € N. 


Theorem 14. One can check in NP,coNP and pseudo-polynomial time if, for 
a given SSG G = (V,E,A), k € N and control state s € V, maximizer can 
almost-surely satisfy k-Bailout from s. 

Moreover, there are K,L € N, polynomial in |V| and the largest absolute 
transition reward, so that U;,s0 ASS (k-Bailout) = ASÎ (Bailout(K, L)). And so, 


checking whether state s belongs to yso ASY (k-Bailout) is in NP and coNP. 


Proof (sketch). This is shown by a sequence of transformations of the game and 
ultimately reduced to a finding the winner of a non-stochastic game with an 
energy-parity objective, which is known to be solvable in NP,coNP and pseudo- 
polynomial time [19]. One important observation is that it is possible to replace, 
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without changing the outcome, the energy EN(k) condition in the Bailout(k, L) 
objective by the more restrictive energy-storage ST(k,l) condition. See [1] for 
further details. 


5 Gain 


In this section we will argue that it is possible to decide, in NP and coNP, whether 
the Gain objective (i.e., LimInf(> —oo) N PAR) can be satisfied almost surely. 

We start by investigating the strategy complexity of winning strategies for 
the Gain objective. 


Lemma 15. In every finite SSG, minimizer has optimal MD strategies for 
objective Gain. 


Proof. We show that maximizer has MD optimal strategies for LimInf(= —oo) U 
PAR. This is equivalent to the claim of the lemma because LimInf(> —co) N PAR = 
LimInf(= —oo) U PAR and the complement of a parity condition is itself a parity 
condition (with all priorities incremented by one). 

We note that both LimInf(= —oo), as well as parity objectives PAR are shift- 
invariant and submixing and therefore also that the union LimInf(= —oo) U PAR 
has both these properties. The claim now follows from the fact that SSGs 
with objectives that are both submixing and shift-invariant admit MD optimal 
strategies for maximizer Theorem 5.2]. 


Based on the results in one can show a similar claim for maximizer strategies 
in MDPs. 


Lemma 16. For finite MDPs, almost-sure winning maximizer strategies for Gain 
can be chosen FD. 


Using the existence of MD optimal minimizer strategies (Lemma [15) and a coNP 
upper bound for checking almost sure Gain in MDPs established in [40], we can 
derive a coNP procedure. See [41] for full details. 


Theorem 17. Checking whether a state s € V of a SSG satisfies Gain almost- 
surely is in coNP. 


The rest of this section will deal with the NP upper bound, which is the most 
challenging part of this paper. The crux of our proof is the observation that 
if maximizer has a strategy that wins almost surely against all MD minimizer 
strategies, then he wins almost surely. This is because one of these MD strategies is 
optimal due to Lemma|[15] We show that, in order to witness such an almost-sure 
winning strategy for maximizer in SSG G, it suffices to provide a polynomially 
larger SSG Gz, together with an almost-sure winning strategy for the storage- 
parity objective (see Theorem [21] in Section [6p in G3. This will give us an NP 
algorithm, because G3, along with its winning strategy, can be guessed and verified 
in polynomial time. Formally we claim that: 
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Theorem 18. Checking whether a state s E€ V of G satisfies Gain almost-surely 
is in NP. 


Proof. (sketch) For technical convenience, we will assume w.l.o.g. that every 
SSG henceforth is in a normal form, where every random state has only one 
predecessor, which is owned by the maximizer. To show the existence of G3, we 
are going to introduce two intermediate games: G; and G2. These games are never 
constructed by our NP algorithm, but are just defined to break down the complex 
construction of G3 into more manageable steps. 

Intuitively, G; is just G where all rewards on edges are multiplied by a large 
enough factor, f, to turn strategies with a mean-payoff > 0 into ones with 
mean-payoff > 2. Gə is an extension of Gı where the maximizer is given a choice 
before every visit to a probabilistic node. He can either let the game proceed 
as before, or sacrifice part of his one-step reward in exchange for a more evenly 
balanced reward outcome, so the energy can no longer drop arbitrarily low 
when a probabilistic cycle is reached. As a result, in Go it suffices to consider 
a storage-parity objective (see Theorem 21] in Section [6p instead of Gain. The 
number of choices maximizer is given is the number of MD minimizer strategies, 
which clearly can be exponential. That would not suffice for an NP algorithm. 
Therefore, we show that most of these choices are redundant and can be removed 
without impairing the almost sure wining region. As the result of that pruning, 
we obtain Gs of polynomial size. 


For the the technical details of the G > G, —> Gz — G3 constructions please 
see ; Figure [2] shows how these transformations may look like. 


6 The Main Results 


In this section, we prove the main results of the paper, namely that almost-sure 
energy parity stochastic games can be decided in NP and coNP. The proofs 
are straightforward and follow from the much more involved characterization of 
almost sure energy parity objective in terms of the Bailout and Gain objectives 
established in Section [3] and their computational complexity analysis in Sections 
and [5] respectively. 


Theorem 19. Given an SSG, energy level k*, checking if a state s is almost-sure 
winning for EN(k*) N PAR is in NP N coNP. 


Proof. Recall that we can compute the set W from Definition [4] by iterating 


Wi = AS (GainNGW;-1) N JAS (k-Bailout n GW;_1) 
k 


starting with Wo = V, until we reach the greatest fixed point W. Note that 
at step i we need to solve almost sure Gain and almost sure (J, AS (k-Bailout), 
where the states of the game are restricted to W;_1. There can be at most |V] 
steps, because at least one state is removed in each iteration. 
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(a) The original game G = G, (b) The game G2 (c) The game G3 


Fig.2: An example game G (left) and the derived games. The strategy that 
always loops in the right-most state of G ensures a mean-payoff of 3. As this 
is the only MD strategy for maximizer that ensures a positive mean-payoff, a 
factor f = 1 is sufficient here and we have G, = G. In the derived game Gz in 
Fig. [2b] there are as many trade-in options for the random state as there are MD 
minimizer’s strategies in G, (just two in this example). The blue one (top left) 
corresponds to minimizer going left and the red one (top right) to going up in g1. 
Maximizer almost-surely wins Gain in G iff he almost-surely wins a storage-parity 
condition (see Theorem [21} in G3. 


It then suffices to check AS (k-Bailout GW) (i.e., AS (k-Bailout) for the 
subgame that consists only of the states of the fixed point W for k = k*. Note 
that this step can be skipped if k* > K, the bound from T heorem [14] 

Before we discuss how to use NP and coNP procedures to construct these sets 
and to conduct the final test on the fixed point W, we note that the ‘NGW;_,’ does 
not add anything substantial, as these are simply the same tests and procedures 
conducted on the subgame that only consist of the states of W;—1. 

To obtain an NP procedure for constructing AS (Gain)—or, as remarked 
above, AS (Gain M GW;_1)—we can guess and validate its membership for each 
state s in this set, using the NP result from Theorem and we can guess 
and validate its non-membership for each state s not in this set in NP, using 
the coNP result from Theorem [I7] Similarly, we can guess and validate both 
the membership and the non-membership in |J, AS (k-Bailout Nn GW;_1)—and 
of U, AS (k-Bailout N GW;_1) by analysing the subgame with only the states in 
W;_-1—by using the NP and coNP result, respectively, from Theorem [14] 

Once we can construct these sets, we can also intersect them and check if a 
fixed point has been reached. (One can, of course, stop when s ¢ Wj.) 

We can now conduct the final check in NP using Theorem [18] 


A coNP algorithm that constructs W can be designed analogously: once W;—1 
is known, membership and non-membership of a state s in AS (Gain N GW;—1) can 
be guessed and validated in coNP by Theorem[I7]and by Theorem[18} respectively; 
and membership or non-membership of a state in |J, AS (k-Bailout 7 GW;—1) can 
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be guessed and validated in coNP using the coNP and NP part, respectively, of 
Theorem 

Once W is constructed, we can conduct the final check in coNP using Theo- 
rem 


This result, together with the upper bound on the energy needed to win 
energy-parity objective, allows us to solve the “unknown initial energy problem’ 
[7], which is to compute the minimal initial energy level required. 


3 


Corollary 20. For any state s, checking if there is k such that AS (EN(k) N PAR) 
holds is in NPM coNP. Also, for a given k*, checking if k* is the minimal energy 
level required to win almost surely is in NP N coNP as well. 


Proof. Due to Theorem[14] if there is an energy level k for which AS (EN(k) N PAR) 
holds, then it also holds for the bound K whose size is polynomial in the size of 
the game. We can then simply calculate K and then use NP and coNP algorithms 
from Theorem [19] for AS (EN(K) 9 PAR). 

As for the second claim, note that checking whether maximizer cannot win 
almost surely EN(&) N PAR is also in NP and coNP as a complement of a coNP 
and an NP set, respectively. Therefore, for an NP/coNP upper bound it suffices to 
simultaneously guess certificates for almost surely EN(&*) N PAR and not almost 
surely EN(k* — 1) Q PAR and verify them in polynomial time. 


Finally, let us mention that the slightly more restrictive storage-parity objec- 
tives can also be solved in NPMcoNP. These are almost identical to energy-parity 
except that, in addition, there must exist some bound / € N such that the energy 
level never drops by more than / during a run. This extra condition ensures 
that, if the storage-parity objective holds almost-surely, then there must exist a 
finite-memory winning strategy for maximizer. 


Theorem 21. One can check in NP,coNP and pseudo-polynomial time if, for 
a given SSG H a (V, E, A), k € N and control state s € V, maximizer can 
almost-surely satisfy ST (k) N PAR from s. 

Moreover, there is a bound L € N, polynomial in the number of states and 
the largest absolute transition reward, so that ST (k) 0 PAR = ST (k, L) A PAR. 


Proof. (sketch) This result follows by a simple adaptation of the proofs showing 
the same computational complexity of the Bailout objective (Section [4p. See 
for further details. 


Example 22. In the game in Fig. |1| maximizer cannot ensure the storage-parity 
condition ST(k)QPAR for any initial energy level k. This is because it would imply 
the existence of a finite-memory almost-surely winning strategy, which as we 
have already argued, cannot be true. More intuitively, to prevent an intermediate 
energy drop by / units, a winning maximizer strategy for storage-parity would 
need to stop moving left after observing the negative cycle in the leftmost state l 
successive times. However, when maximizer moves right, this gives minimizer the 
chance to visit the rightmost bad state (with dominating odd priority 1). The 
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chance of that happening is (1/3)! > 0. In particular, this probability is > 0 for 
any value of the intermediate energy drop l. Therefore, for any fixed l, maximizer 
would need to move right infinitely often to satisfy storage and lose (against an 
optimal minimizer strategy that moves to the rightmost state). 


7 Conclusion and Outlook 


We showed that several almost-sure problems for combined energy-parity ob- 
jectives in simple stochastic games are in NP N coNP. No pseudo-polynomial 
algorithm is known (just like for stochastic mean-payoff parity games [20}). All 
these problems subsume (stochastic) parity games, by setting all rewards to 0. 
Thus the existence of a pseudo-polynomial algorithm would imply that (stochastic 
and non-stochastic) parity games are in P, which is a long-standing open problem. 

It is known that maximizer already needs infinite memory to win almost- 
surely a combined energy-parity objective in MDPs [40]. Our results do not imply 
anything about the memory requirement for optimal minimizer strategies in SSGs 
for this objective. We conjecture that memoryless minimizer strategies suffice. If 
this conjecture holds (and is proven), this would greatly simplify the coNP upper 
bound that we established for this problem. 

A natural question is whether results on mean-payoff/energy/parity games 
can be generalized to a setting with multi-dimensional payoffs. Non-stochastic 
multi-mean-payoff and multi-energy games have been studied in |48)/36/1|. To 
the best of our knowledge, the techniques used there, e.g. upper bounds on 
the necessary energy levels as in [36], do not generalize to stochastic games (or 
MDPs). 

Multiple mean-payoff objectives in MDPs have been studied in [1024], but 
the corresponding multi-energy (resp. multi-energy-parity) objective has extra 
difficulties due to the 0-boundary condition on the energy. I.e., even on Markov 
chains, and without any parity condition, it subsumes problems about multi- 
dimensional random walks. Some partial results on Markov chains and MDPs 
have been obtained in [13[2[3], but the decidability of the almost-sure problem 
for stochastic multi-energy-parity games (and MDPs) remains open. 
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Abstract We introduce a new measure on regular languages: their non- 
deterministic syntactic complexity. It is the least degree of any extension 
of the ‘canonical boolean representation’ of the syntactic monoid. Equival- 
ently, it is the least number of states of any subatomic nondeterministic 
acceptor. It turns out that essentially all previous structural work on non- 
deterministic state-minimality computes this measure. Our approach rests 
on an algebraic interpretation of nondeterministic finite automata as de- 
terministic finite automata endowed with semilattice structure. Crucially, 
the latter form a self-dual category. 


1 Introduction 


Regular languages admit a plethora of equivalent representations: finite automata, 
finite monoids, regular expressions, formulas of monadic second-order logic, and 
numerous others. In many cases, the most succinct representation is given by a 
nondeterministic finite automaton (nfa). Therefore, the investigation of state- 
minimal nfas is of both computational and mathematical interest. However, this 
turns out to be surprisingly intricate; in fact, the task of minimizing an nfa, or even 
of deciding whether a given nfa is minimal, is known to be PSPACE-complete [23]. 
One intuitive reason is that minimal nfas lack structure: a language may have 
many non-isomorphic minimal nondeterministic acceptors, and there are no clearly 
identified and easily verifiable mathematical properties distinguishing them from 
non-minimal ones. As a consequence, all known algorithms for nfa minimization 
(and related problems such as inclusion or universality testing) require some form 
of exhaustive search [9,11, 26]. This sharply contrasts the situation for minimal 
deterministic finite automata (dfa): they can be characterized by a universal 
property making them unique up to isomorphism, which immediately leads to 
efficient minimization. 

In the present paper, we work towards the goal of bringing more structure 
into the theory of nondeterministic state-minimality. To this end, we propose a 
novel algebraic perspective on nfas resting on boolean representations of monoids, 
i.e. morphisms M —> JSL(S,S) from a monoid M into the endomorphism monoid 
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of a finite join-semilattice S$. Our focus lies on quotient monoids of the free monoid 
X* recognizing a given regular language L C X*. The largest such monoid is X* 
itself, while the smallest one is the syntactic monoid syn(L). For both of them, L 
induces a canonical boolean representation 


5* + JSL(SLD(L),SLD(L) and _syn(L) + JSL(SLD(Z), SLD(L)) 


on the semilattice SLD(Z) of all finite unions of left derivatives of L. The first 
representation gives rise to an algebraic characterization of minimal nfas: 


Theorem. The size of a state-minimal nfa for L equals the least degree of any 
extension of the canonical representation of X* induced by L. 


Here, the degree of a representation refers to the number of join-irreducibles of the 
underlying semilattice. In the light of this result, it is natural to ask for an ana- 
logous automata-theoretic perspective on the canonical representation of syn(L) 
and its extensions. For this purpose, we introduce the class of subatomic nfas, a 
generalization of atomic nfas earlier introduced by Brzozowski and Tamm [6]. In 
order to get a handle on them, we employ an algebraic framework that interprets 
nfas in terms of JSL-dfas, i.e. deterministic finite automata in the category 
of semilattices. In this setting, the semilattice SLD(Z) used in the canonical 
representations naturally arises as the minimal JSL-dfa for the language L. We 
shall demonstrate that much of the structure theory of (sub-)atomic nfas reduces 
to the observation that the category of JSL-dfas is self-dual. Our main result 
gives an algebraic characterization of minimal subatomic nfas: 


Theorem. The size of a state-minimal subatomic nfa for L equals the least 
degree of any extension of the canonical representation of syn(L). 


We call the measure suggested by the above theorem the nondeterministic 
syntactic complexity of the language L. It turns out to be extremely natural: as 
illustrated in Section 5, essentially all existing work on the structure of state- 
minimal nfas implicitly identifies classes of languages whose nondeterministic 
state complexity equals their nondeterministic syntactic complexity, and thus is 
actually concerned with computing minimal subatomic acceptors. 


2 Preliminaries 


We start by introducing some notation and terminology used in the paper. 


Semilattices. A (join-)semilattice is a poset (S, <s) in which every finite subset 
X CS has a least upper bound, a.k.a. join, denoted by V X. A morphism of 
semilattices is a map preserving all finite joins. Let JSL denote the category 
of join-semilattices and their morphisms. An element j of a semilattice S' is 
join-irreducible if for all finite subsets X C S$ with j = V X one has j € X. Let 


J(S)={j € S : j is join-irreducible }. 


Let 2 = {0,1} denote the two-element semilattice with 0 < 1. Since 2 S (P(1), ©) 
is the free semilattice on a single generator, morphisms from 2 into a semilattice S 
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correspond uniquely to elements of S. Similarly, a morphism f: S — 2 corresponds 
uniquely to a prime filter F = f~'{1] C S, i.e. an upwards closed subset such 
that V X € F implies X N F # Q for every finite subset X C S. If S is finite, 
prime filters are precisely the sets F = {s € S : s £ so} for so € S. If S is a 
subsemilattice of a semilattice T, every prime filter F of S can be extended to the 
prime filter T \ ({(S \ F)) of T, where |X ={tET : t <a for some x € X} 
denotes the down-closure of a subset X C T. Equivalently, every morphism 
f: S — 2 can be extended to a morphism g: T > 2. In category-theoretic 
terminology, this means that the semilattice 2 forms an injective object of JSL. 

The category JSL; of finite semilattices is self-dual [25]. The equivalence 
functor JSL; — J SL?” sends a semilattice S to its dual semilattice S°? obtained 
by reversing the order, and a morphism f: S — T to the morphism f*: TOP > S°P 
mapping t € T to the <¢-largest element s € S with f(s) <r t. Note that f is 
adjoint to f*: for s € S and t € T we have f(s) <r tiff s <s f*(t). 


Languages. A language is a subset L of X*, the set of finite words over an alphabet 
X. We let L = X* \ L denote the complement and L' = {w" : w € L} the reverse, 
where w" = an . . . aq for w = a1 ... an. The left derivatives, right derivatives and 
two-sided derivatives of L are, respectively, given by u™ tL = {w € X* : uw € L}, 
Iv} = {w € X* : wv € L} and ut Lu! = {w € X* : uwv € L} for u,v € X*. 
More generally, for U C X* the language UT!L = U, cy u'L is called the left 
quotient of L w.r.t. U. We define the following sets of languages generated by L: 


— LD(L) = {u7!L : u € X*}, the set of all left derivatives of L; 
— SLD(ZL), its closure under finite union; 
— BLD(Z), its closure under all set-theoretic boolean operations; 


— BLRD(Z), its closure under all boolean operations and right derivatives. 


In other words, SLD(Z) is the U-semilattice of all left quotients of L, or equival- 
ently, the U-subsemilattice of P(X*) generated by all left derivatives. Moreover, 
BLD(Z) and BLRD(L) form the boolean subalgebras of P(X*) generated by all 
left derivatives and all two-sided derivatives, respectively. 


3 Duality Theory of Semilattice Automata 


In this section, we set up the algebraic framework in which nondeterministic 
automata can be studied. Since it involves considering several different types of 
automata, it is convenient to view them all as instances of a general categorical 
concept. For the rest of this paper, let X denote a fixed finite input alphabet. 


Definition 3.1. Let @ be a category and let X,Y € @ be two fixed objects. 
An automaton in @ is a quadruple (S$, 0,7, f) consisting of an object S € @ of 
states, a family 6 = (da: S —> S)aey of morphisms representing transitions, and 
two morphisms i: X > S and f: S > Y representing initial and final states 
(see the left-hand diagram below). A morphism between automata (S, ô, i, f) and 
(", 0’,7’, f’) is given by a morphism h: S —> S in @ preserving transitions, initial 
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states and final states, i.e. making the right-hand diagram below commute for all 
aes: 


ba 
ae ; Re ek e 
X ——+ S$ —+Y NL ba 


5 


a 


Let Aut(@) denote the category of automata in @ and their morphisms. 
Notation 3.2. We put Ow := 6a, O +*+ O Ôa, for w = a1... an in &*. 


Example 3.3. (1) An automaton D = (S,6,i, f) in Set, the category of sets 
and functions, with X = 1 and Y = 2, is precisely a classical deterministic 
automaton. It is called a dfa if S is finite. We identify the map i: 1 > S with an 
initial state sọ = i(*) € S, and the map f: S > 2 with a set F = fH] C S 
of final states. The language L(D, s) accepted by a state s € S is the set of all 
words w € X* such that ôw(s) € F. The language L(D) accepted by D is the 
language accepted by the state so. 


(2) An automaton N = (S,ô,i, f) in Rel, the category of sets and relations, 
with X = Y = 1, is precisely a classical nondeterministic automaton. It is called 
an nfa if S is finite. We identify i C1 x S with a set J C S of initial states and 
f CS x1 with a set F CS of final states. Thus, in our view an nfa may have 
multiple initial states. The language L(N, R) accepted by a subset R C S consists 
of all w € X* such that (r,s) € 6, for some r € Rand s € F. The language 
L(N) accepted by N is the language accepted by the set J. 

(3) An automaton A = (S,ô,i, f) in JSL with X = Y = 2, shortly a JSL- 
automaton, is given by a semilattice S of states, a family 6 = (ôa: S > S)aex 
of semilattice morphisms specifying transitions, an initial state so € S (corres- 
ponding to i: 2 S), and a prime filter F C S of final states (corresponding to 
f: S > 2). It is called a JSL-dfa if S is finite. The language accepted by a state 
s E€ S or by the automaton A, resp., is defined as for deterministic automata. 


Remark 3.4 (JSL-dfas vs. nfas). Dfas, nfas and JSL-dfas are expressively 
equivalent; they all accept precisely the regular languages. The interest of JSL- 
dfas is that they constitute an algebraic representation of nfas: 


(1) Every JSL-dfa A = (S,6, so, F) induces an equivalent nfa J(A) on the set 
J(S) of join-irreducibles of S. Given s,t € J(S) and a € X, there is a transition 
s >t in J(A) iff t < 6a(s); the initial states are those s € J(S) with s < so, and 
the final states form the set J(S) NA F. 

(2) Conversely, for every nfa N = (Q, ô, I, F), the subset construction yields an 
equivalent JSL-dfa P(N) with states P(Q) (the U-semilattice of subsets of Q), 
transitions Pda: P(Q) > P(Q), X > a| X], initial state JT € P(Q), and final 
states those subsets of Q containing some state from F. Note that J(P(Q)) = Q. 
It follows that the task of finding a state-minimal nfa for a given language is 
equivalent to finding a JSL-dfa with a minimum number of join-irreducibles [4]. 
This idea has recently been extended to a general coalgebraic framework [32,39]. 
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Recall that the minimal dfa [7] for a regular language L, denoted by dfa(L), 
has states LD(L) (the set of left derivatives of L), transitions K “+ a~!K for 
K € LD(L) and a € X, initial state L = e~'L, and final states those K € LD(L) 
containing €. Up to isomorphism, it can be characterized as the unique dfa 
accepting L that is reachable (i.e. every state is reachable from the initial state 
via transitions) and simple (i.e. any two distinct states accept distinct languages). 
We now develop the analogous concepts for JSL-automata; they are instances of 
the categorical theory of minimality due to Arbib and Manes [3] and Goguen [15]. 
Let us first observe that every language has two canonical infinite JSL-acceptors: 


Definition 3.5. Let L C X* be a language. 


(1) The initial JSL-automaton Init(L) for L has states P(X*) (the U-semilattice 
of finite subsets of X*), initial state {e}, final states all X € P;(XL™*) with 
XL #9, and transitions X +> Xa = {xa : x € X} for X € P(X") and 
aes. 

(2) The final JSL-automaton Fin(L) for L has states P(X) (the U-semilattice 
of all languages), initial state L, final states all languages K containing £, and 
transitions K +> a~!K for K € P(X*) and a € J. 


As suggested by the terminology, these automata form the initial and the final 
object in the category of JSL-automata accepting L: 


Lemma 3.6 [3,15]. For every JSL-automaton A = (S, ô, so, F) accepting the 
language L C X*, there exist unique JSL-automata morphisms 


ea: Init(L) > A and ma: A > Fin(L). 


The map e4 sends {w1,..., Wn} € Pi(X*) to the state V}; dw, (80), and the map 
ma sends a state s E€ S to L(A, s), the language accepted by s. 


Definition 3.7. A JSL-automaton A = (S, ô, so, F) is called 


(1) reachable if the unique morphism e4: Init(L) — A is surjective, i.e. every 
state is of the form V; 4 ôw; (so) for some w1,..., Wn € X*; 

(2) simple if the unique morphism ma: A —> Fin(L) in injective, i.e. any two 
distinct states accept distinct languages; 

(3) minimal if it is both reachable and simple. 


Remark 3.8. (1) The category Aut(JSL) has a factorization system given by 
surjective and injective morphisms. Thus, for every JSL-automata morphism 
h: (S,8,i, f) > (S’,6’,, f’) with image factorization h = (S—> S9" =S") 
in JSL, there exists a unique JSL-automaton structure (S”, 8”, i”, f”) on S” 
making both e and m automata morphisms. We call e the coimage and m the 
image of h. Subautomata and quotient automata of JSL-automata are represented 
by injective and surjective morphisms, respectively. 
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(2) Every JSL-automaton A has a unique reachable subautomaton reach(A) — 
A, the reachable part of A. It is the smallest subautomaton of A and arises as 
the image of the unique morphism e4: Init(Z) + A. Thus, 


A is reachable iff A reach(A) iff A has no proper subautomaton. 


Let us emphasize that a state in reach(A) is not necessarily reachable when A is 
viewed as an ordinary dfa. For distinction, we thus call a state JSL-reachable if 
it lies in reach(A), and dfa-reachable if it is reachable in the usual sense. 

(3) Dually, every JSL-automaton A has a unique simple quotient automaton 
A — simple(A), the simplification of A. It is the smallest quotient automaton of 
A and arises as the coimage of the unique morphism ma: A —> Fin(L). Thus, 


A is simple iff A&simple(A) iff A has no proper quotient automaton. 


(4) Every language L C X* has a minimal JSL-automaton, unique up to iso- 
morphism. It can be constructed as the image of the unique automata morphism 
hy: Init(L) + Fin(Z). Since hy sends {w1,..., Wn} € P(X") to the language 
U; _; w7 +L, the minimal automaton of L is the subautomaton SLD(L) of Fin(L) 
carried by the semilattice of finite unions of left derivatives of L. 


Example 3.9. The minimal JSL-dfa accepting L = {a,aa} is shown below, 
with the dashed lines representing the partial order. 


| {esa} TIE 


Remark 3.10. The self-duality of JSL, lifts to a self-duality of the category of 
JSL-dfas. The equivalence functor Aut(JSL;) — Aut(JSL;)°? maps a JSL-dfa 
A = (S, (da: S > S)aex, i: 2 3 S, f: S — 2) to its dual automaton 


AP = (SP, (7: SP 4 SPlaew, f*: 2 SP, i”: SP > 2), 
using that 2°? ~ 2. Thus, the initial state of A is the <gs-largest non-final state 


of A, and its final states are those s € S with so £s s. Given s,t € S anda E€ X, 
there is a transition s “> t in A® iff t is the <s-largest state with ôa(t) <s s. 


The dualization of JSL-dfas can be seen as an algebraic generalization of the 
reversal operation on nfas. Recall that the reverse of an nfa N is the nfa N" 
obtained by flipping all transitions and swapping initial and final states. If N 
accepts the language L, then N" accepts the reverse language L". 


Lemma 3.11. For each nfa N = (Q,06,I, F), we have the JSL-dfa isomorphism 


[P(N]? = P(N), XH X=Q\X. 
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The following lemma summarizes some important properties of AOP: 

Lemma 3.12. Let A = (S,06,i, f) be a JSL-dfa. 

(1) For every s E€ S, we have L(A, s) = {w E€ &* : dur(so) És s}. 

(2) If A accepts the language L, then A? accepts the reverse language L". 

(3) We have |reach(A)]°? S simple(A°?). Thus, A is reachable iff A°? is simple. 
Our next goal is to give, for every regular language L, dual characterizations 
of SLD(Z), BLD(Z) and BLRD(Z), the JSL-subautomata of Fin(Z) carried by 
all finite unions of left derivatives, boolean combinations of left derivatives and 
boolean combinations of two-sided derivatives, respectively. These results form 


the core of our duality-based approach to (sub-)atomic nfas in the next section. 
The minimal JSL-dfa SLD(L) admits the following dual description: 


Proposition 3.13. For every regular language L, the minimal JSL-dfas for L 
and L" are dual. More precisely, we have the JSL-dfa isomorphism 


drz: [SLD(L')]"? = SLD(L), K = (KO'L. 


Remark 3.14. (1) The isomorphism drz induces a bijection between the left 
and right factors of L, i.e. the inclusion-maximal left/right solutions of X-YCL. 
Conway [10] observed that the left and right factors are respectively {K" : K € 
SLD(L")} and {K : K € SLD(L)} and that they biject. Backhouse [5] observed 
that they are dually isomorphic posets. Proposition 3.13 provides an explicit 
automata-theoretic lattice isomorphism arising canonically via duality. 

(2) The isomorphism drz is tightly connected to the dependency relation [18, 20] 
of a regular language L, i.e. the binary relation given by 

DRz, C LD(L) x LD(L"), DRU tL, oTt") : 4 w" EL. 


Its restriction DRİ := DR gz N J(SLD(L)) x J(SLD(L")) to the U-irreducible left 
derivatives of L and L" is called the reduced dependency relation. The following 
theorem shows that the semilattice of left quotients and the dependency relation 
are essentially the same concepts. In part (3), we use that the isomorphism 
drz restricts to a bijection between the U-irreducible derivatives of L" and the 
meet-irreducible elements of the lattice SLD(L). 

Theorem 3.15 (Dependency theorem). 


(1) We have the JSL-isomorphism 

SLD(L) Š ({DRz[X]: X CLD(L)},U,0), Kef: ve K}. 
Note that its codomain forms a subsemilattice of P(LD(L')). 
(2) For all u,v € X* we have DRi(u™tL, vt L") 4 wl Zdrz(v'L’). 


(3) The following diagram in Rel commutes: 


J(SLD(L")) —““+ M(SLD(L)) 


~ 


pri] I 


J(SLD(L)) J(SLD(L)) 
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Let us now turn to a dual characterization of the JSL-dfa BLD(L): 


Proposition 3.16. For every regular language L, the JSL-dfa BLD(L) is dual 
to the subset construction of the minimal dfa for L": 


[BLD(L)]°° = P(dfa(L')). 


The isomorphism maps {w7 L", ..., w! L'} € P(dfa(L')) to Nk; At(wi), where 
At(x) is the unique atom (= join-irreducible) of BLD(L) containing x. 


To state the dual characterization of BLRD(L), we recall two standard concepts 
from algebraic language theory [33]. The transition monoid of a deterministic 
automaton D = (S,6,1, f) is the image tm(D) C Set(S, S) of the morphism 


X* — Set(S,S), wo ôw. 


Thus, tm( M) is carried by the set of extended transition maps ôw (w € X*) with 
multiplication given by ô, è ðw = dyw and unit ids = ĝe: S > S. We may view 
tm( D) as a deterministic automaton with initial state ids, final states all 6,, such 
that w is accepted by D, and transitions ôw = dwq for w € X* and a € X. This 
automaton accepts the same language as D. The syntactic monoid syn(L) of a 
regular language L C X* is the transition monoid of its minimal dfa: 


syn(L) = tm(dfa(L)). 


Equivalently, syn(L) is the quotient monoid of the free monoid X* modulo the 
syntactic congruence of L, i.e the monoid congruence on X* given by 


v=, w iff Va,ye X* : vye L = rwye L. 


The associated surjective monoid morphism uz: X* —» syn(L), mapping w € X* 
to its congruence class [w]z, € syn(L), is called the syntactic morphism. 


Proposition 3.17. For every regular language L, the JSL-dfa BLRD(L) is dual 
to the subset construction of syn(L'), viewed as a dfa: 


[BLRD(L)]°? = P(syn(L")). 
The isomorphism maps { [wi]rr,---, [Wn] z } € P(syn(L')) to N; At(w;"), with 
At(x) denoting the unique atom of BLRD(L) containing x. 


Our final duality result in this section concerns the transition semiring [35], a 
generalization of the transition monoid to JSL-automata. Note that the monoid 
JSL(S, S) of endomorphisms of a semilattice S forms an idempotent semiring with 
join defined pointwise: for any f,g: S —> S, the morphism f V g: S > S is given 
by s> f(s) V g(s). The transition semiring of a JSL-automaton A = (S, ô, i, f) 
is the image ts(A) C JSL(S, S) of the semiring morphism 


P(E") + ISL(S,S), {wi,...,unt > V du. 
t=1 
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Here P;(*) is the free idempotent semiring on X, with composition given by 
concatenation of languages and join given by union. Thus, ts(A) is the semi- 
ring carried by all morphisms Vi Ôw; for w1,..., Wn E X*, with join given 
as above and multiplication V; ôv; ¢ V; ðw, = Vij 5vjwi- We view ts(A) as a 
JSL-automaton with initial state ids = ðe, final states all V; dw, such that some 
w; is accepted by A, and transitions Vi] fw, —> Vi] Swia for W15... , Wn € X* 
and a € X. This JSL-automaton is reachable and accepts the same language as 
A. It has the following dual characterization: 


Notation 3.18. Given a simple JSL-automaton A = (S,ô,i, f), the subauto- 
maton of Fin(L) obtained by closing S (viewed as a set of languages) under right 
derivatives is called the right-derivative closure of A and denoted rdc(A). 


Proposition 3.19. Let A be a reachable JSL-dfa. Then the transition semiring 
of A, viewed as a JSL-dfa, is dual to the right-derivative closure of A°?: 


[ts(.A)]°? = rdc(A°P). 


Note that both [ts(A)]°? and rdc(A°?) are simple, hence subautomata of Fin(L). 
Thus, the isomorphism just expresses that their states accept the same languages. 


4 Boolean Representations and Subatomic NFAs 


Based upon the duality results of the previous section, we will now introduce our 
algebraic approach to nondeterministic state minimality. It rests on the concept 
of a representation of a monoid on a finite semilattice. 


Definition 4.1 (Boolean representation). Let M be a monoid. 


(1) A boolean representation of M is given by a finite semilattice S together with 
a monoid morphism p: M —> JSL(S, S). The degree of p is 


deg(p) := |J(S)]. 


(2) Given boolean representations p;: M —> JSL(S;, Si), i = 1,2, an equivariant 
map f: pı > p2 is a JSL-morphism f: Sı —> S2 such that 


f(pi(m)(s)) = po(m)(f(s)) for all m € M and s € Sı. 
If f is injective, we say that the representation p2 extends pı. 


Remark 4.2. (1) The above representations are called boolean because sem- 
ilattices are precisely semimodules over the boolean semiring 2 = {0,1} with 
1+ 1 = 1. For more on representations over general commutative semirings, 
see [21]. 

(2) The category of boolean representations of M coincides with the functor 
category J SLi , viewing M as a one object category. 
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Definition 4.3 (Canonical representation). For every regular language L, 
the canonical boolean representation of the syntactic monoid syn(L) is given by 


kp: syn(L) + JSL(SLD(L),SLD(Z)),  [w]z > AK.w7'K. 

It induces the canonical boolean presentation of the free monoid X* given by 
Kyo pr: &* > JSL(SLD(L),SLD(ZL)), w rAKw | K, 

where ug: X* —> syn(L) is the syntactic morphism. 


The representation «Kz © uzp amounts to constructing the transition semiring of 
the minimal JSL-automaton SLD(ZL), i.e. the syntactic semiring [35] of L. 

Example 4.4. We describe the canonical boolean representation Kz, for the 
language Ln := (0+ 1)*1(0+ 1)", n € N. Let S := 2%! be the semilattice 
of binary words of length n+ 1, ordered pointwise, with an additional bottom 
element L. Then SLD(Z,,) is isomorphic to 5, as witnessed by the isomorphism 


f: SŽ SLD(La), f(L)=0, f(w) =w Ln. 


Thus, Kz, is isomorphic to the representation p: syn(Ln) + JSL(S, S) where: 
(1) o([0]z„): S + S performs a left-shift (distinct from left-rotate); 
(2) p([1]z,,): S > S performs a left-shift and sets the last bit as 1. 


Finally, deg(«z,,) = deg(p) = 1 + | J(2"*+)| = n +2 is the number of states of 
the usual minimal nfa for L. 


Example 4.5. We describe the canonical boolean presentation «z, for the lan- 
guage L = aı (a2 +43) + a2(a1 +43) + 43(a1 + a2) over X = {a1, a2, a3}. Consider 
the U-semilattice M3 = {0, {a1, a2}, {a1, a3}, {a2, a3}, X}. Then SLD(L) is iso- 
morphic to the product semilattice 2 x M3 x 2 via the map 


f: SLD) S 2% Max 2, FR HAE SHE XH: 


Note that the first and third component is either Ø or one other set, i.e. it may be 
identified with the elements of 2. For i = 1, 2,3 we define the following semilattice 
morphisms: 


ai: 2 > Ms, aill) =£ \ {ai}; 

Bi: M3 > 2, B(S)=1 — a; ES; 
y: 242 (1) = 0; 

6: M3 x2x2>42x M3 x 2, O(a, y, 2) = (2, 2,y). 


Then «z is isomorphic to p: syn(L) > JSL(2 x M3 x 2, 2 x M3 x 2) where 


ailt) = (2 x My x 2 EN, My KRIS 2x M & 2), 
p 


Thus, deg(xz) = deg(p) = 1+3 + 1 = 5. An analogous description of «kz exists 
for any language L where each word has the same length. 
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The next theorem links minimal nfas and representations. 


Definition 4.6. The nondeterministic state complexity ns(L) of a regular lan- 
guage L is the least number of states of any nfa accepting L. 


Theorem 4.7. For every regular language L, the nondeterministic state com- 
plexity ns(L) is the least degree of any boolean representation extending the 
canonical representation Kr o ur: X* — JSL(SLD(L),SLD(Z)). 


Proof (Sketch). 


(1) Given a k-state nfa N = (Q, ô, I, F) accepting L, consider the subsemilattice 
langs(N) = simple(P(V)) of P(X*) on all languages accepted by subsets of Q. 
The embedding SLD(Z) — langs(N) yields an extension of Kz o uz. Since the 
semilattice langs(V) is generated by the languages accepted by single states of 
N, this extension has degree at most k. 


(2) Conversely, let p: X* + JSL(S, S) be a boolean representation of degree k 
extending «<z ° uL, witnessed by an injective equivariant map h: SLD(L) > S. 
One can equip S$ with a JSL-dfa structure making h an automata morphism. 
Since morphisms preserve accepted languages, it follows that S accepts L. Then 
the nfa of join-irreducibles of S, see Remark 3.4, is a k-state nfa accepting L. 


As an application, let us return to the dependency relation DRz introduced 
in Remark 3.14(2). Recall that a biclique of a relation R C X x Y (viewed as 
a bipartite graph) is a subset of the form X’ x Y’ C R, where X’ C X and 
Y’ CY. A biclique cover of R is a set @ of bicliques with R = J @. The bipartite 
dimension dim(R) is the least cardinality of any biclique cover of R. 


Theorem 4.8 (Gruber-Holzer [18]). For every regular language L, we have 
dim(DR_z) < ns(L). 
We give a new algebraic proof of this result based on boolean representations. 


Proof. (1) The task of computing biclique covers is well-known to be equivalent 
to the set basis problem. Given a family C C P(Y) of subsets of a finite set 
Y, a set basis for C is a family B C P(Y) such that each element of C can be 
expressed as a union of elements of B. A relation R C X x Y has a biclique cover 
of size k iff the family Cr = {R]|z] : x € X} C P(Y) of neighborhoods of nodes 
in X has a set basis of size k. 


(2) Given an instance C C P(Y) of the set basis problem, consider the U- 
subsemilattice (C) C P(Y) generated by C, i.e. the semilattice of all unions of 
sets in C. We claim that C has a set basis of size at most k iff there exists an 
extension of (C) of degree at most k, i.e. a monomorphism (C) — S into some 
finite semilattice S with |J(S)| < k. 

For the “only if” direction, suppose that B C P(Y) is a set basis of C of size 
at most k. The the embedding (C) — (B) gives an extension of (C) with the 
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desired property: since the semilattice (B) has a set of generators with at most k 
elements, it has at most k join-irreducibles. 

For the “if” direction, suppose that m: (C) — S with |J(S)| < k is given. 
Since the free semilattice P(Y) is an injective object of JSL [19, Corollary 2.9], 
there exists a morphism f: S + P(Y) extending the embedding (C) — P(Y). 
Consider the image S” C P(Y) of f, leading to the commutative diagram below: 


(C)" Ss — 9’ 
ee 
PY) 


We thus have (C) C S’ C P(Y). Every set of generators of the semilattice S’ is 
a basis of C. Since the morphism e is surjective, we have |J(S’)| < |J(S)| < k, 
i.e. S” has a set of generators with at most k elements. 


(3) Let Cor, C P(LD(L")) be the instance of the set basis problem corres- 
ponding to the dependency relation DRz C LD(L) x LD(L"). Note that (CDR, ) 
consists of all DRz,[X] for X C LD(L). Thus, Theorem 3.15(1) shows that 
(CDr) = SLD(ZL). In particular, every extension of the canonical boolean repres- 
entation of X* yields an extension of the semilattice (Cpr, ) of the same degree. 
Therefore, by part (1) and (2) and Theorem 4.7, we have dim(DR,) < ns(L), as 


required. 


Theorem 4.7 motivates the following definition, which can be considered the key 
concept of our paper: 


Definition 4.9. The nondeterministic syntactic complexity nu(L) of a regular 
language L is the least degree of any boolean representation of syn(L) extending 
the canonical boolean representation «z: syn(L) + JSL(SLD(L),SLD(Z)). 


Just like the degrees of boolean representations of X* determine the state com- 
plexity of nfas, we will provide an automata-theoretic characterization of nu(L) 
in terms of subatomic nfas in Theorem 4.14 below. 


Definition 4.10. An nfa accepting the language L is called 
(1) atomic if each state accepts a language from BLD(ZL), and 
(2) subatomic if each state accepts a language from BLRD(Z). 


The notion of an atomic nfa goes back to Brzozowski and Tamm [6], as does the 
following characterization. 


Notation 4.11. For any nfa N, let rsc(N) denote the dfa obtained via the 
reachable subset construction, i.e. the dfa-reachable part of P(N). 


Theorem 4.12. An nfa N is atomic iff rsc(N") is a minimal dfa. 


We present a new conceptual proof, interpreting this theorem as an instance of 
the self-duality of JSL-dfas. 


460 R. Myers et al. 


Proof (Sketch). Let L be the language accepted by N. We establish the theorem 
by showing each of the following statements to be equivalent to the next one: 
(1) N is atomic. 

(2) There exists a JSL-automata morphism from P(N) to BLD(Z). 

(3) There exists a JSL-automata morphism from P(dfa(L")) to P(N‘). 
(4) There exists a dfa morphism from dfa(Z") to P(N‘). 

(5) There exists a dfa morphism from dfa(L") to rsc(N‘). 

(6) rsc(.N‘) is a minimal dfa. 


The key step is (2)<(3), which follows via duality from Lemmas 3.11 and 3.12, 
and Proposition 3.16. All remaining equivalences follow from the definitions. 


The next theorem gives an analogous characterization of subatomic nfas. Again, 
the proof is based on duality. 


Theorem 4.13. An nfa N accepting the language L is subatomic iff the trans- 
ition monoid of rsc( N") is isomorphic to the syntactic monoid syn( L"). 

Proof (Sketch). Each of the following statements is equivalent to the next one: 
(1) N is subatomic. 

(2) There exists a JSL-dfa morphism from P(N) to BLRD(Z). 

(3) There exists a JSL-dfa morphism from rdc(simple(P(V))) to BLRD(Z). 

(4) There exists a JSL-dfa morphism from P(syn(L")) to ts(reach(P(N"))). 
(5) There exists a dfa morphism from syn(L‘) to ts(reach(P(N‘))). 
(6) There exists a dfa morphism from syn(L") to tm(rsc(N")). 
(7) The monoids syn(L") and tm(rsc(V")) are isomorphic. 


The equivalence (3)<(4) follows via duality from Lemma 3.11, Proposition 3.17 
and Proposition 3.19. All remaining equivalences follow from the definitions. 


We are prepared to state the main result of our paper, an automata-theoretic 
characterization of the nondeterministic syntactic complexity: 


Theorem 4.14. For every regular language L, the nondeterministic syntactic 
complexity nu(L) is the least number of states of any subatomic nfa accepting L. 
Proof (Sketch). 
(1) Let N be a k-state subatomic nfa accepting the language L. As in the proof 
of Theorem 4.7, we consider the semilattice langs( N) = simple(P(N)). Then 

p: syn(L) + JSL(langs(N),langs(N)), [w]; => AK.w7'K, 


is a representation of syn(L) of degree at most k extending Kr. 


(2) Conversely, let p: syn(L) + JSL(S,S) be a boolean representation extending 
KL, and let h: SLD(Q) — S be the embedding. As in the proof of Theorem 4.7, 
we can equip S with the structure of a JSL-dfa making h an automata morphism. 
Its nfa of join-irreducibles, see Remark 3.4, is a subatomic nfa accepting L with 
deg(p) states. 
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We conclude this section with the observation that the state complexity of 
unrestricted nfas, subatomic nfas and atomic nfas generally differs: 


Example 4.15 (Subatomic more succinct than atomic). Consider the 
language L accepted by the nfa N shown below, along with the minimal dfas for 
L and L". Each automaton has exactly one initial state, namely 0. 


dfa( L") 


Brzozowski and Tamm [6] showed that there is no atomic nfa with four states 
accepting L. However, N is subatomic: one can verify that the transition monoids 
of dfa( L") and rsc( N") both have 22 elements. Since the former is the syntactic 
monoid of L", they are isomorphic, and so Theorem 4.13 applies. 


Example 4.16 (Subatomic less succinct than general nfas). There is a 
regular language for which no state-minimal nfa is subatomic: 


L := {a" : neEW,nF45}C {a}*. 


It is accepted by the following nfa: 


O z - 


An exhaustive search shows that no subatomic nfa with five states accepts L. 
In fact, L is the unique (!) unary language with ns(Z) < 5 and ns(L) < np(ZL). 
Moreover, the above nfa and its reverse are the only state-minimal nfas for L. 


5 Applications 


While subatomic nfas are generally less succinct then unrestricted ones, all struc- 
tural results concerning nondeterministic state complexity we have encountered 
in the literature are actually about nondeterministic syntactic complexity: they 
implicitly identify classes of languages where the two measures coincide. In the 
present section, we illustrate this in a few selected applications. 
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5.1 Unary languages 


For unary languages L C {a}*, two-sided derivatives are left derivatives. Thus, a 
unary nfa is atomic iff it is subatomic. 


Example 5.1 (Cyclic unary languages). A unary language L is cyclic if 
its minimal dfa is a cycle [16]. We claim that ns(Z) = ny(L). To see this, let 
d := |LD(L)| be the period (i.e. number of states) of the minimal dfa. By Fact 1 of 
[16] (originally from [22]) every state-minimal nfa N accepting L is a disjoint union 
of cyclic dfas whose periods divide d.t Then |rsc(N')| = d: we have |rsc(N")| > d 
since rsc( N") is a dfa accepting L = L" and d is the size of the minimal dfa for 
L, and |rsc(N")| < d because after d steps, each cycle will be back in its initial 
state. Thus N is atomic by Theorem 4.12 and hence subatomic. 


We deduce the following result for (not necessarily unary) regular languages: 
Theorem 5.2. /fsyn(L) is a cyclic group, then ns(L) = np(L). 


Proof (Sketch). Suppose that syn(L) = tm(dfa(L)) is cyclic. Then there exists 
wo € X* such that the map \X.wg |X: LD(L) + LD(L) generates tm(dfa(L)). 
Fix an alphabet Xo = {ao} disjoint from X and consider the unary language 


Lo := {ap : nEN, wi EL} CM. 
Let g : Yö — X* be the monoid morphism where g(ao) := wo. Then we have the 
JSL-isomorphism 
f: SLD(Lo) = SLD(L),  f(X~*Lo) := [gX]. 


For each a € X choose nq € N such that a~'K = (wo*)7'K for all K € LD(L). 
The respective transition endomorphisms of the JSL-automata SLD(Zo) and 
SLD(Z) determine each other in the sense that the following diagrams commute: 


SLD(Lp) == SLD(L) SLD(L) —L-+ SLD(Z) 
agt(-) | fete @yte [eto 
SLD (Lo) —> SLD(L) SLD(Lo) => SLD(L) 


Then ns(L) = ns(Lo) by Theorem 4.7 and nu(L) = nu(Lo) by Theorem 4.14. 
Moreover, by Example 5.1 we know that ns(Zo) = nys(Lo), so the claim follows. 


Example 5.3 (nu(Z) no larger than Chrobak normal form). A unary nfa 
is in Chrobak normal form [8,13] if it has a single initial state and at most one 
state with multiple successors, all of which lie in disjoint cycles. We claim that 
for any nfa N in Chrobak normal form accepting the language L, we have 


na(L) < |N], 


1 In [16] nfas are restricted to have a single initial state and so are distinguished from 
unions of dfas; the latter are valid nfas from our perspective. 
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where |N] denotes the number of states of N. To see this, observe that each state 
of N up to and including the unique choice state accepts some left derivative of 
L. The successors of the choice state collectively accept a derivative u™ tL; this 
language is cyclic because it is a finite union of cyclic languages. Therefore, by 
Example 5.1 we may replace the cycles by an atomic nfa accepting u~!L, without 
increasing the number of states. The resulting nfa is atomic. 

Since every unary nfa on n states can be transformed into an nfa in Chrobak 
normal form with O(n?) states [8, Lemma 4.3], we get: 


Corollary 5.4. If L is a unary regular language, then nu(L) = O(ns(L)?). 


5.2 Languages with a canonical state-minimal nfa 


There are several natural classes of regular languages for which canonical state- 
minimal nondeterministic acceptors have been identified. We show that these 
acceptors are actually subatomic. In our arguments, we frequently consider the 
length of a finite semilattice S, i.e. the maximum length n of any ascending chain 
So < S1 <... < Sn in S. Note that since every element is uniquely determined 
by the set of join-irreducibles below it, the length of S is at most |.J(S)]. 


Example 5.5 (Bideterministic and biseparable languages). 


(1) A language is called bideterministic if it is accepted by a dfa whose reverse is 
also a dfa. In this case, the minimal dfa is a minimal nfa [34,38]. Bideterministic 
languages have been studied in the context of automata learning [2] and coding 
theory, where they are known as rectangular codes [27,36]. We show that for 
every bideterministic language L, 


ns(L) = nu(L) = |LD(L)]. 


To this end, we first note that by [36, Theorem 3.1] a language L C X* is 
bideterministic iff the left derivatives of L are pairwise disjoint. This implies that 
SLD(Z) is a boolean algebra with atoms LD(L). Since the length of a boolean 
algebra equals the number of atoms (= join-irreducibles), we conclude that for 
every finite semilattice extension SLD(L) — S, the semilattice S has length 
at least |LD(Z)|. Thus, |LD(Z)| < |J(S)|, so any representation p extending 
KL Or Kp © poy satisfies |LD(L)| < deg(p). Hence, ns(L) = nyu(L) = |LD(L)| by 
Theorem 4.7 and 4.14. In particular, the minimal dfa of L is a minimal nfa. 

(2) A language L is biseparable if SLD(L) is a boolean algebra [28].? For every 
biseparable language L, the canonical residual automaton [12], i.e. the nfa Nz 
of join-irreducibles of the minimal JSL-dfa SLD(Z), is a state-minimal nfa; it 
is subatomic because every state of Nz accepts a derivative of L. This follows 
exactly as in (1): our argument only used that SLD(Z) is a boolean algebra. 


? Actually [28] defines biseparability as a property of nfas, and characterizes biseparable 
nfas as those accepting a language L for which no U-irreducible left derivative is 
contained in the union of other U-irreducible left derivatives. This is equivalent to 
the lattice SLD(L) being boolean, i.e. to L being ‘biseparable’ in our sense. 


464 R. Myers et al. 


Example 5.6 (Maximal reachability). A folklore result asserts that if N 
is an nfa whose accepted language L satisfies |LD(L)| = 2101, then N is state- 
minimal. Since LD(L) forms the set of states of the minimal dfa for L and rsc( N) 
accepts L, we have rsc(N) = P(N). It follows the JSL-dfa P(N) is reachable 
and simple, hence isomorphic to the minimal JSL-dfa SLD(L). This proves that 
SLD(Z) is a boolean algebra, i.e. L is a biseparable language. We conclude from 
Example 5.5(2) that ns(Z) = na(L) = |N| and Nz is a subatomic minimal nfa. 


Example 5.7 (BiRFSA and topological languages). So far SLD(L) has 
been a boolean algebra. But the argument in Example 5.5 also applies when 
SLD(ZL) is a distributive lattice, noting that the length of a finite distributive 
lattice is equal to the number of its join-irreducibles [17, Corollary 2.14]. Languages 
with this property are called topological [1]. It thus follows as in Example 5.5(2) 
that for any topological language L, the canonical residual automaton Ny is 
subatomic and a state-minimal nfa. Thus, ns(L) = nu(L) = | J(SLD(Z))|. 

There is another class of languages where Nz is known to be a state-minimal 

nfa, the biRFSA languages [28]. A language L is called biRFSA if Nz is isomorphic 
to (Nr). Surprisingly, these languages are exactly the topological ones: 
(1) Suppose that L is topological. Recall that Nz is the nfa of join-irreducibles 
of the minimal JSL-dfa. Thus, it has states J(SLD(Z)) and transitions given by 
X SY iff Y Ca7!X for a € X. Moreover, a join-irreducible j is initial iff j C L 
and final iff e € j. Since the lattice SLD(L) is distributive, we have a canonical 
bijection between its join- and meet-irreducibles: 


J(SLD(L)) — M(SLD(L)), =(J{X € SLD(Z) : j ¢ X}. 


Let 0 be the unique map making the following diagram commute, where drz is 
the restriction of the isomorphism of Proposition 3.13: 


J(SLD(L)) 


ew. SS 


J(SLD(L')) ———> M(SLD(L)) 


drg 


One can show 6 to be an nfa isomorphism from Nz to (Ngr:)". Thus, L is biRFSA. 
(2) Suppose that L is biRFSA. Then we have a surjective JSL-morphism 


[P(J(SLD(L)))]°? = P(J(SLD(L'))) = SLD(1°) = [SLD(Z)]°° 


where the first isomorphism follows from Nz & (Np) and Lemma 3.11, the 
second isomorphism is given by Proposition 3.13, and ez; sends X C J(SLD(L")) 
to UJ X. The dual of this morphism is the injective JSL-morphism 


mz: SLD(L) — P(J(SLD(L))) 


sending K € SLD(L) to the set of all 7 € J(SLD(L)) with 7 C K. Note that 
eL omy = idsıp(Q), showing that SLD(L) is a retract of P(J(SLD(L))). Since 
JSL-retracts of finite distributive lattices are distributive, see e.g. [31, Lemma 
2.2.3.15], it follows that SLD(Z) is distributive. Thus, L is topological. 
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Example 5.8 (Extremal languages). Call a language extremal if SLD(L) has 
length |J(SLD(Z))| ie. we have an extremal lattice in the sense of Markowsky 
[29]. Again, the argument of Example 5.5 applies and we get ns(L) = nu(L) = 
| J(SLD(L))|. Topological languages are extremal since every distributive lattice 
is an extremal lattice, although extremal languages need not be topological. Both 
classes are naturally characterized in terms of the reduced dependency relation: 


(1) L is topological iff DRI is essentially an order relation <pC P x P ofa 
finite poset [30, Example 2.2.12]. 


2) L is extremal iff DRİ is upper unitriangularizable [29, Theorem 11]. 
L 


The latter means the adjacency matrix of the bipartite graph DRI can be 
put in upper triangular form with ones along the diagonal, by permuting rows 
and columns. An order relation is upper unitriangularizable because it may be 
extended to a linear order. 


6 Conclusion and Future Work 


Motivated by the duality theory of deterministic finite automata over semilattices, 
we introduced a natural class of nondeterministic finite automata called subatomic 
nfas and studied their state complexity in terms of boolean representations of 
syntactic monoids. Furthermore, we demonstrated that a large body of previous 
work on state minimization of general nfas actually constructs minimal subatomic 
ones. There are several directions for future work. 

As illustrated by Theorem 4.8, the dependency relation DR, forms a useful 
tool for proving lower bounds on nfas. It is also a key element of the Kameda- 
Weiner algorithm [26,37] for minimizing nfas, which rests on computing biclique 
covers of DR. We aim to give an algebraic interpretation of dependency rela- 
tions based on the representation of finite semilattices by contexts [24], which 
can be augmented to a categorical equivalence between JSL- and a suitable 
category of bipartite graphs [31]. Under this equivalence, JSL-dfas correspond to 
dependency automata; in particular, the minimal JSL-dfa SLD(L) corresponds 
to a dependency automaton whose underlying bipartite graph is precisely the 
dependency relation DR ,. We expect that this observation can lead to a fresh 
algebraic perspective on the Kameda-Weiner algorithm, as well as a generalization 
of it computing minimal (sub-)atomic nfas. 

On a related note, we also intend to investigate the complexity of the minim- 
ization problem for (sub-)atomic nfas. While minimizing general nfas is PSPACE- 
complete, even if the input automaton is a dfa, we conjecture that the additional 
structure present in (sub-)atomic acceptors will simplify their minimization to 
an NP-complete task. First evidence in this direction is provided by Geldenhuys, 
van der Merve, and van Zijl [14] whose work implies that minimal atomic nfas 
can be efficiently computed in practice using SAT solvers. 
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Abstract. We develop a fully diagrammatic approach to finite-state au- 
tomata, based on reinterpreting their usual state-transition graphical rep- 
resentation as a two-dimensional syntax of string diagrams. In this set- 
ting, we are able to provide a complete equational theory for language 
equivalence, with two notable features. First, the proposed axiomatisation 
is finite— a result which is provably impossible for the one-dimensional 
syntax of regular expressions. Second, the Kleene star is a derived con- 
cept, as it can be decomposed into more primitive algebraic blocks. 


Keywords: string diagrams - finite-state automata - symmetric monoidal 
category - complete axiomatisation 


1 Introduction 


Finite-state automata are one of the most studied structures in theoretical com- 
puter science, with an illustrious history and roots reaching far beyond, in the 
work of biologists, psychologists, engineers and mathematicians. Kleene 
introduced regular expressions to give finite-state automata an algebraic pre- 
sentation, motivated by the study of (biological) neural networks [31]. They are 
the terms freely generated by the following grammar: 


ef s=e+f lef le Olt aeea (1) 


Equational properties of regular expressions were studied by Conway who 
introduced the term Kleene algebra: this is an idempotent semiring with an oper- 
ation (—)* for iteration, called the (Kleene) star. The equational theory of Kleene 
algebra is now well-understood, and multiple complete axiomatisations, both 
for language and relational models, have been given. Crucially, Kleene alge- 
bra is not finitely-based: no finite equational theory can appropriately capture 
the behaviour of the star [35]. Instead, there are purely equational infinitary 
axiomatisations and Kozen’s finitary implicational theory [26]. 

Since then, much research has been devoted to extending Kleene algebra 
with operations capturing richer patterns of behaviour, useful in program veri- 
fication. Examples include conditional branching (Kleene algebra with tests [27], 
and its recent guarded version [37]), concurrent computation (CKA [19]23}), 
and specification of message-passing behaviour in networks (NetKAT [1]). 


© The Author(s) 2021 
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The meta-theory of the formalisms above essentially rests on the same three 
ingredients: (1) given an operational model (e.g., finite-state automata), (2) de- 
vise a syntax (regular expressions) that is sufficiently expressive to capture the 
class of behaviours of the operational model (regular languages), and (3) find a 
complete axiomatisation (Kleene algebra) for the given semantics. 

In this paper, we open up a direct path from (1) to (3). Instead of thinking 
of automata as a combinatorial model, we formalise them as a bona-fide (two- 
dimensional) syntax, using the well-established mathematical theory of string 
diagrams and monoidal categories [36]. This approach lets us axiomatise the 
behaviour of automata directly, freeing us from the necessity of compressing 
them down to a one-dimensional notation like regular expressions. 

This perspective not only sheds new light on a venerable topic, but has sig- 
nificant consequences. First, as our most important contribution, we are able to 
provide a finite and purely equational axiomatisation of finite-state automata, up 
to language equivalence. Intriguingly, this does not contradict the impossibility 
of finding a finite basis for Kleene algebra, as the algebraic setting is different: 
our result gives a finite presentation as a symmetric monoidal category, while 
the impossibility result prevents any such presentation to exist as an algebraic 
theory (in the standard sense). In other words, there is no finite axiomatisation 
based on terms (tree-like structures), but we demonstrate that there is one based 
on string diagrams (graph-like structures). 

Secondly, embracing the two-dimensional nature of automata guarantees a 
strong form of compositionality that the one-dimensional syntax of regular ex- 
pressions does not have. In the string diagrammatic setting, automata may have 
multiple inputs and outputs and, as a result, can be decomposed into subcom- 
ponents that retain a meaningful interpretation. For example, if we split the 
automata below left, the resulting components are still valid string diagrams 
within our syntax, below right: 


b z a 
4 a 
e FO OE D 
D> a 
a om Mie 


In line with the compositional approach, it is significant that the Kleene star can 
be decomposed into more elementary building blocks (which come together to 
form a feedback loop): 


o? Coe e? ? 


This opens up for interesting possibilities when studying extensions of Kleene 
algebra within the same approach— we elaborate on this in Section 

Finally, we believe our proof of completeness is of independent interest, as it 
relies on fully diagrammatic reformulation of Brzozowski’s minimisation algo- 
rithm [12]. In the string diagrammatic setting, the symmetries of the equational 


A String Diagrammatic Axiomatisation of Finite-State Automata 471 


theory give this procedure a particularly elegant and simple form. Because all 
of the axioms involved in the determinisation procedure come with a dual, a co- 
determinisation procedure can be defined immediately by simply reversing the 
former. This reduces the proof of completeness to a proof that determinisation 
can be performed diagrammatically. 


We should also note that this is not the first time that automata and regular 
languages are recast into a categorical mould. The iteration theories [5] of Bloom 
and Esik, sharing graphs of Hasegawa or network algebras of Stefanescu 
are all categorical frameworks designed to reason about iteration or recursion, 
that have found fruitful applications in this domain. They are based on a no- 
tion of parameterised fixed-point which defines a categorical trace in the sense 
of [22]. While our proposal bears resemblance to (and is inspired by) this prior 
work, it goes beyond in one fundamental aspect: it is the first to give a finite 
complete axiomatisation of automata up to language equivalence. 

A second difference is methodological: our syntax (4) does not feature any 
primitive for iteration or recursion. In particular, the star is a derived concept, 
in the sense that it is decomposable into more elementary operations (3). Cate- 
gorically, our starting point is a compact-closed rather than traced category. 

We elaborate on the relation between ours and existing work in Section [6] 
Omitted proofs can be found in [B3]. 


2 Syntax and semantics 


Syntax. We fix an alphabet Ł of letters a € &. We call Autz the symmetric strict 
monoidal category freely generated by the following objects and morphisms: 


— three generating objects » (‘action’), > (‘right’) and < (‘left’) with their iden- 


tity morphisms depicted respectively as ; and 
- the following generating morphisms, depicted as string diagrams [B 
< — po 3 e œ> (€X) 


(4) 
ole Ce ee DC 


Freely generating Auty from these data (usually called a symmetric monoidal the- 
ory [42[11]}) means that morphisms of Autz will be the string diagrams obtained 
by pasting together (by sequential composition and monoidal product in Autz) 
the basic components in (4), and then quotienting by the laws of symmetric 
monoidal categories. For instance, (3) is a morphism of Autz of type » >», and 


Pr is one of type >> > — >. 


Semantics. We first define the semantics for string diagrams simply as a func- 
tion, and then discuss how to extend it to a functor from Auty to another cate- 
gory. Our interpretation maps generating morphisms to relations between reg- 
ular expressions and languages over X: 


[——] = {((e,e) | e € RegExp} [o] = {(e,e*) | e € RegExp} 
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[<] = {le (ee)) |e € RegExp} = [-e] = : e) | e € RegExp} 
[DH = 1e fef) |e, f € RegExp} [o—] = {(e,1)} [e] = {00} 
[>] = {((ef).e+f) le fE RegEx} [e—] = {(°,0)} 
|-<] = (L KeK | L © Kj, i=1,2 and L, Ky, Ky C =*} 
[>+] = {i ),K) | Li € K, i= 1,2 and Ly, L2, K CE*} 


[se] ={(Le)|LCz} [CG] =f (1K) |LCK|LK CE} 
[e-]={(e,K)|KCE} |S] ={(L Ke) | KCLILK CE} 
[——] = {((L,K),L¢ ee 
[c] = {((L,K),K CL) |L,K Cxu*} 


[>] = {((e,L),K) | L [e]ę C K ande € RegExp, L,K C E*} 6) 


In {5}, the semantics [e]g € 24" of a regular expression e € RegExp is defined 
inductively on e (see (1p), in the standard way: 


[e+ fle =leleVU Ula lefle = {ow |v € ele, wE [fret 
[lx = {£} [Olr =2 [a]x = {4} [e“Ir= U le"lr 


neN 


where e+! := ee” and e? := 1. The semantics highlights the different roles 


played by req] tand black generators. In a nutshell, red generators stand for 
regular expressions ( — the sum, e— is 0,  — the product, o— is 1, —o— 


the Kleene star, and 6— the letters of x), and black generators for operations 
on the set of languages OL is copy, +e is delete, Q and ~) feed back out- 


puts into inputs, in a way made more precise later). These two perspectives, 
which are usually merged, are kept distinct in our approach and only allowed 


to communicate via , which represents the product action of regular 
expressions (the red wire) on languages via concatenation on the right. 

In order for this mapping to be functorial from Autz, we now introduce 
a suitable target semantic category. Interestingly, this will not be the category 
Rel of sets and relations: indeed, the identity morphisms —+— and —~— are 
not interpreted as identities of Rel. Instead, the semantic domain will be the 
category Prof of Boolean(-enriched) profunctors (also called in the literature 
relational profunctors or weakening relations [32]). 


Definition 1. Given two preorders (X, <x) and (Y, <y), a Boolean profunctor R : 

X — Y isa relation R C X x Y such that if (x,y) € Randx'! <x x, y <y 

y' then (x',y') E R 

1 The reader with a greyscale version of the paper should see light grey generators 
instead. 
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Preorders and Boolean profunctors form a symmetric monoidal category Profg with 
composition given by relational composition. The identity for an object (X, <x) is the 
order relation < y itself. The monoidal product is the usual product of preorders. 


The rich features of our diagrammatic language are reflected in the profunc- 
tor interpretation. Indeed, the order relation is built into the wires —+~— and 
——. The two possible directions represent the identities on the ordered set of 
languages and the same set with the reversed order, respectively. The additional 
red wire represents the set RegExp of regular expressions, with equality as 
the associated order relationP|It is clear that all monochromatic generators sat- 


isfy the condition of Definition |1| Similarly, the action generator pa Te isa 
Boolean profunctor: if ((e,L),K) are such that L[e]p C Kand L’ CL,K C K’ 
then we have L’ [e]p € L[e]p E K C K’ by monotony of the product of lan- 
guages. We can conclude that 


Proposition 1. [-] defines a symmetric monoidal functor of type Aut: —> Profg. 


In particular, because Auty is free, we can unambiguously assign meaning to 
any composite diagram from the semantics of its components using composi- 
tion and the monoidal product in Prof: 


LOH = {(LK) | SM(L,M) € [EH (MK) € EH} 
e] = { ((L1, La); (Ki, K2)) | (Li, Ki) € HeH] r i= 1,2) 
—@)- 
Example 1. We include here a worked out example to show how to compute the 
behaviour of a composite diagram which, as we will see, represents the action 


by concatenation of the regular language a*. We assign variable names to each 
wire: O to the top wire of the feedback loop, N to the output wire of the action 


node, and M to the middle wire joining is to >C so that we can compute: 
JN,O, LNC O, L,NCKOaC N} 


š {(L,K) 
= {(L,K) 
= {(L,K)| 3O, Oa CO, LC O, LOCK} 


Call this diagram d. Since Oa C O and L C O is equivalent to LU Oa C O, 
ld] = {(L,K) | IO s.t. LUOa C O, L,O C K}. Finally, by Arden’s lemma [2], 
La* is the least solution of the language inequality LU Xa C X; thus [d] = 
{(L,K) | 3O s.t. La* C O, L,O C K} = {(L,K) | La* C K}. 


M,N,O, L,N CM, O[a]p E N, M C O,K} 


3 Equational theory 


In Figure[I]we introduce =xpa, the (finite) equational theory of Kleene Diagram 
Algebra, on Auts. It will be later shown to be complete for the given semantics. 
We explain some salient features of =p, below. 


2 Note that we can always consider any set with equality as a poset and that, therefore, 
Rel is a subcategory of Prof, but not vice-versa, for the simple reason that the identity 
relation of an arbitrary poset in Profg is not mapped to the identity relation in Rel. 
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a ca Wo 
e = —e O =a 
._-* 
(E8) (E9) —e (E10) 
= b—e = = 
(E14) 


Fig. 1. Equational theory =xp, of Kleene Diagram Algebra. 


a 
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— (A1)-(A2) relate = and ÇQ allowing us to bend and straighten wires at will. 
This makes the full subcategory of Autz on > and <, modulo (A1)-(A2), 
compact closed [24]. (A3) allows us to eliminate isolated loops. Note that the 
whole category is not compact closed because > has no dual. 

The B block states that +e, —-e forms a cocommutative comonoid (B1)- 


(B3), while ee form a commutative monoid (B4)-(B6). Moreover, 


><, +e, >>,e> form an idempotent bimonoid (B7)-(B11). (B12) al- 
lows us to eliminate trivial feedback loops. 

- The C block axiomatises the action of regular expressions on languages. 
These laws mimic the usual definition of the action of a semiring on a set, 
except for (C5) which is novel and captures the interaction with the Kleene 
star. Here lies a distinctive feature of our theory: the behaviour of the star is 
derived from its decomposition as the feedback loop on the right of (C5). 
The D block forces the action to be a comonoid ((D1)-(D2)) and monoid 
((D1)-(D2)) homomorphism. 
The E block axiomatises the purely red fragment. Remarkably, these ax- 
ioms do not describe any of the actual Kleene algebra structure: they just 
state that —€ and —e form a commutative comonoid ((E1)-(E3)) and that 
all other red generators are comonoid homomorphisms ((E4)-(E15)). This 
means that the red fragment is actually the free (cartesian) algebraic theory 
(cf. [42[11]) on generators , b—,o—, »—,e a (a € £), where 
the remaining generators —¢€ and —e act as copy and discard of vari- 
ables. 


Let =xp, be the smallest equational theory containing all equations in Fig.[] 
Their soundness for the chosen semantics is not difficult to show and, for space 
reasons, we omit the proof. We now state our completeness result, whose proof 
will be discussed in Section [5] 


Theorem 1 (Completeness). For morphisms d, e in Auty , d =xpa e iff |d] = Je]. 


Remark 1. In the usual approach to the theory of regular languages (e.g. [26]), a 
completeness result like Theorem[I]is typically proven by first defining a class 
of models for the algebraic theory, and showing that the standard semantics 
constitutes the initial /free model. Our proof is different in flavour, but equiva- 
lent: taking advantage of the categorical formulation of our diagrammatic syn- 
tax and its semantics, we construct an equivalence of categories between our 
model and the diagrams quotiented by the equations of KDA. 


Remark 2. Some axiomatisations of Kleene algebra use a partial order between 
terms, which can be defined from the idempotent monoid structure: f < e iff 
e + f =e. At the semantic level, it corresponds to inclusion of languages. Simi- 
larly, using the idempotent bimonoid structure of our equational theory, we can 


define a partial order on >—» diagrams: f < e iff +€, ; »— = —{2-. This 


partial order structure can also be extended to all morphisms »"—»" by using 
the vertical composition of n copies of >L and m copies of ice instead. 
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Remark 3. There are no specific equations relating the atomic actions = (a € 
x). This is because, as we study automata, we are interested in the free monoid 
X* over X. However, nothing would prevent us from modelling other struc- 
tures. Free commutative monoids (powers of IN), whose rational subsets corre- 
spond to semilinear sets Chapter 11] would be of particular interest. 


4 Encoding regular expressions and automata 


A major appeal of our approach is that both regular expressions and automata 
can be uniformly represented in the graphical language of string diagrams, and 
the translation of one into the other becomes an equational derivation in =xp4. 
In fact, we will see there is a close resemblance between automata and the shape 
of the string diagrams interpreting them — the main difference being that string 
diagrams are composable structures. 

In this section we describe how regular expressions (resp. automata) can be 
encoded as string diagrams, such that their semantics corresponds in a precise 
way to the languages that they describe (resp. recognise). 

In a sense, regular expressions are already part of the graphical syntax, as 
the red generators: for any regular expression e, one may always construct a 
‘red’ string diagram @}—: 0 — » such that [€] = {(e,e)}. However, these 
alone are meaningless, since their image under the semantics is simply the free 
term algebra RegExp (see (7}) . They acquire meaning as they act on the set of 
languages over Ł, represented by the black wire. 


4.1 From regular expressions to string diagrams 


To define these encodings, it is convenient to introduce the following syntactic 
sugar. We will write L- for the composite of @}— with the action, as defined 
below left, with the particular case of a letter a € X on the right: 


eee Doin e (6) 


Using this action, we can inductively define an encoding (—) of regular expres- 
sions into string diagrams of Autz, as the rightmost diagram for each expression 
below: 


AA 


(e+f) = AT os o> Oy. 2s Owe 
5 
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For example, (ab(a + ab)*) = 


a mr) 
een a) b 
> >| = aH 


As expected, the translation preserves the language interpretation of regular 
expressions in a sense that the following proposition makes precise. 


(8) 


Proposition 2. For any regular expression e, |(e)]] = {(L,K) | Je] L € K}. 


4.2 From automata to string diagrams... 


Example (8) suggests that the string diagram (e) corresponding to a regular 
expression e looks a lot like a nondeterministic finite-state automaton (NFA) 
for e. In fact, the translation (—) can be seen as the diagrammatic counterpart 
of Thompson’s construction that builds an NFA from a regular expression. 
We can generalise the encoding of regular expressions and translate NFA 
directly into string diagrams, in at least two ways. The first is to encode an 
NFA as the diagrammatic counterpart of its transition relation. The second is to 
translate directly its graph representation into the diagrammatic syntax. 


Encoding the transition relation. This is a simple variant of the translation of ma- 
trices over semirings that has appeared in several places in the literature [29]42]. 

Let A be an NFA with set of states Q, initial state qọ € Q, accepting states 
F C Q and transition relation 6 C Q x & x Q. We can represent ô as a string 
diagram d with |Q| incoming wires on the left and |Q| outgoing wires on the 
right.The left jth port of d is connected to the ith port on the right through 
an —{@)— whenever (qj,4,q;) E€ ô. To accommodate nondeterminism, when the 
same two ports are connected by several different letters of Ł, we join these 


using +e and ioe . When (qi,€,qj) € ô, the two ports are simply 
connected via a plain identity wire. If there is no tuple in 6 such that (q;,4,q;) € 


ô for any a, the two corresponding ports are disconnected. 
For example, the transition relation of 
an NFA with three states and 6 = 
{((qo,4,91)1 (q1, b,92), (42,491), (42, 4,92))}  (dis- oyr E 
regarding the initial and accepting states for the ja 
moment) is depicted on the right. Conversely, given B 
such a diagram, we can recover 6 by collecting > < 
Ł-weighted paths from left to right ports. 

To deal with the initial state, we add an additional incoming wire connected 
to the right port corresponding to the initial state of the automaton. Similarly, 
for accepting states we add an additional outgoing wire, connected to the left 


e— 
> 


> 
a 


ports corresponding to each accepting state, via 2> if there is more than 
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one. Finally, we trace out the |Q| wires of the di- 
agrammatic transition relation to obtain the asso- 
ciated string diagram. In other words, for a NFA 
with initial state qo, set of accepting states F, transi- 
tion relation 6, we obtain the string diagram on the 
right, where d is the diagrammatic counterpart of 
ô as defined above, eg is the injection of a single wire as the first amongst |Q| 
wires, and f deletes all wires that are not associated to states in F with +e, and 
applies ce to merge them into a single outgoing wire. 

For example, if A with ô as above has initial state gg and accepting state {q2}, 
we get the diagram below left; instead, if all states are accepting, we obtain the 
diagram below right: 


; 7 
a ; 


The correctness of this simple translation is justified by a semantic correspon- 
dence between the language recognised by a given NFA A and the denotation 
of the corresponding string diagram. 


> 


a 


Proposition 3. Given an NFA A which recognises the language L, let d4 be its asso- 
ciated string diagram, constructed as above. Then |da] = {(K,K') | LK C k’}. 


From graphs to string diagrams. The second way of translating automata into 
string diagrams mimics more directly the combinatorial representation of au- 
tomata. The idea (which should be sufficiently intuitive to not need to be made 
formal here) is, for each state, to use i. to represent incoming edges, 
and + to represent outgoing edges. As above, labels a € A will be mod- 


elled using {Ð—. For example, the graph and the associated string diagram 
corresponding with the NFA above are 


b a 
ee YO 5 fi (9) 
: ei D> 


Note the initial state of the automaton corresponds to the left interface of the 
string diagram, and the accepting state to the right interface. As before, when 
there are multiple accepting states, they all connect to a single right interface, 
via 2>. For example, if we make all states accepting in the automaton above, 
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we get the following diagrammatic representation: 


4.3 ...and back 


The previous discussion shows how NFAs can be seen as string diagrams of 
type » >». The converse is also true: we now show how to extract an automa- 
ton from any string diagram d: »>—», such that the language the automaton 
recognises matches the denotation of d. 

In order to phrase this correspondence formally, we need to introduce some 
terminology. We call left-to-right those string diagrams whose domain and co- 
domain contain only », i.e. their type is of the form »"—>»"”. The idea is that, 
in any such string diagram, the n left interfaces act as inputs of the computa- 
tion, and the m right interfaces act as outputs. For instance, (9) is a left-to-right 
diagram >>>. 

A string diagram d is atomic if the only red generators occurring in d are of 


the form o—. By unfolding all red components (¢}— in any left-to-right diagram, 
using axioms (C1)-(C5), we can prove the following statement. 


Proposition 4. Any left-to-right diagram is =xp,4-equivalent to an atomic one. 


For instance, the string diagram on the left of is =xpa-equivalent to the 
atomic one on the right. 

We call block of a certain subset of generators a vertical composite of these 
generators followed by some permutations of the wires. 


Definition 2. A matrix-diagram (resp. generalised matrix-diagram) is a left-to- 
right diagram that factors as a block of +, —-e, followed by a block of —a— for 


a € È (resp. ®— for e € RegExp) and finally, a block of er, e. 


To each matrix-diagram d we can associate a unique transition relation ô by 
gathering paths from each input to each output: (q;,a,qj) € 4 if there is —a— 
joining the ith input to the jth output. 
A transition relation is e-free if it does not contain the 
empty word. It is deterministic if it is e-free and, for 
each i and each a € È there is at most one j such 
that (q;,4,q;) € 6. We will apply these terms to matrix- 
diagrams and the associated transition relation inter- 
changeably. The example of Section[4.2|above, with the three blocks highiighted, 
is a matrix-diagram. It is e-free but not deterministic since there are two a- 
labelled transitions starting from the third input. 

Given a matrix-diagram d : »!+"+p?*+", we will write dij, with i = 1,n and 
j = p,m, for the subdiagrams corresponding to the appropriate submatrices. 


a 
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Definition 3. For any left-to-right diagram d : >” +", a representation is a matrix- 


diagram d :%'+"—p~!+™, such that * Par d "and dy, nı are 
(j aa 


e-free. It is a deterministic representation if moreover dy is deterministic. 


For example, given the string diagram below on the left, the one on the right is 
a representation for it, whose highlighted matrix-diagram is the same as above. 


(10) 


—=KDA 


We will refer to the associated matrix-diagram d as the transition matrix of a 
given representation. From a >—» diagram with representation d : »!+!>p!+1 
we can construct an NFA from its transition matrix d as follows: 

- its state set is Q = {q1,...,q}, ie. there is one state for each wire of dy; 


— its transition relation built from dj; as described above; 
— its initial states Qo are those q; for which there exists an index j such that 


the ijth coefficient of d1; is non-zero (and therefore e); 
— its final states F are those qj for which there exists an index i such that the 
ijth coefficient of dj, is non-zero (and therefore e); 

The construction above is the inverse of that of Section [4.2] The link between 
the constructed automaton and the original string diagram is summarised in 
the following statement, which is a straightforward corollary of Proposition J] 
Proposition 5. For a diagram d :»>—» with a representation d, let A q be the asso- 
ciated automaton, constructed as above. Then L is the language recognised by A a iff 
ld] = {(K,K’) | EK CK’}. 
The next proposition states that a representation can be extracted from any 
string diagram. 
Proposition 6. Any left-to-right diagram has a representation. 
We established a correspondence between > —>> diagrams and automata. What 
about arbitrary left-to-right diagrams »"—p"? To characterise the precise re- 
lationship between our syntax and regular expressions we can prove a Kleene 
theorem for Auty. Recall, from Definition|2|that a generalised matrix-diagram is the 
diagrammatic counterpart of a matrix whose coefficients are regular expres- 
sions. It turns out that every left-to-right diagram can be put in this form. 
Proposition 7 (Kleene’s for Autz). Any left-to-right diagram is equal to a gener- 
alised matrix diagram. 
As a result, the semantics of a given »”—»" diagram is fully characterised by 
an m x n array of regular languages. 
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4.4 Interlude: from regular to context-free languages 


It is worth pointing out how a simple modification of the diagrammatic syn- 
tax takes us one notch up the Chomsky hierarchy, leaving the realm of regular 
languages for that of context-free grammars and languages. 

Our syntax allows to specify systems of language equations of the form 
aX C Y. In this context, feedback loops can be interpreted as fixed-points. For 
example, the automaton below left, and its corresponding string diagram, be- 
low right, translate to the system of equations at the center: 


ec Xo 
b a Xoa (= Xı 
ae YO = Xıb C Xo 4 
Xoa C X2 


This translation can be obtained by simply labelling each state with a variable 
and adding one inequality of the form X;a C X; for each a-transition from state 
i to state j. The system we obtain corresponds very closely to the [—]-semantics 
of the associated string diagram. 

The distinction between red and black wires can be understood as a type 
discipline that only allows linear uses of the product of languages. It is legiti- 
mate and enlightening to ask what would happen if we forgot about red wires 
and interpreted the action directly as the product. We would replace the action 


by a new generator Te with semantics L>- = {((M,L),K) | ML C K}. 

This would allow us to specify systems of language equations with unre- 
stricted uses of the product on the left of inclusions, e.g. UVW C X. Equations 
of this form are similar to the production rules (e.g. X —- UVW) of context-free 
grammars and it is well-known that the least solutions of this class of systems 
are precisely context-free languages Chapter 10]. 


For example we could encode the language 
X — XX | (X) | e of properly matched ( 
parentheses as least solution of the system 

e C X, (X) C X,XX C X which gives the 

diagram displayed on the right. 


5 Completeness and Determinisation 


This section is devoted to prove our completeness result, Theorem [I] We use 
a normal form argument: more specifically we mimic automata-theoretic re- 
sults to rewrite every string diagram to a normal form corresponding to a mini- 
mal deterministic finite automaton (DFA). We achieve it by implementing Brzo- 
zowski’s algorithm through diagrammatic equational reasoning. The proof 
proceeds in three distinct steps. 
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1. We first show (Section 5.1) how to determinise (the representation of) a dia- 
gram: this step consists in eliminating all subdiagrams that correspond to 
nondeterministic transitions in the associated automaton. 

2. We use the previous step to implement a minimisation procedure (Section 
from which we obtain a minimal representation for a given diagram: 
this is a representation whose associated automaton is minimal—with the 
fewest number of states—amongst DFAs that recognise the same language. 
To do this, we show how the four steps of Brzozowski’s minimisation algo- 
rithm (reverse; determinise; reverse; determinise) translate into diagram- 
matic equational reasoning. Note that the first three steps taken together 
simply amount to applying in reverse the determinisation procedure we 
have already devised. That this is possible will be a consequence of the 
symmetry of =xpa. 

3. Finally, from the uniqueness of minimal DFAs, any two diagrams that have 
the same denotation are both equal to the same minimal representation and 
we can derive completeness of =xpa. 


We will now write equations in =xp, simply as = to simplify notation and 
say that diagrams c and d are equal when c =xpa d. 

First, we use the symmetries of the equational theory to make simplifying 
assumptions about the diagrams to consider in the completeness proof. 


A few simplifying assumptions. Without loss of generality, the proof we give 
is restricted to string diagrams with no » in their domain as well as in their 
codomain. This is simply a matter of convenience: the same proof would work 
for more general diagrams, that may contain » in their (co)domain, at the cost 
of significantly cluttering diagrams. Henceforth, one can simply think of the 
labels for the action -{x)— as uniquely identifying one open red wire in a dia- 
gram. With this convention, two or more occurrences of the same x ina diagram 
can be seen as connected to the same red wire on the left, via —€__. That we 
can safely do so is a consequence of the completeness of =xp4 restricted to the 
monochromatic red fragment, itself a consequence of Theorem 6.1]. 

Arbitrary objects in Auty are lists of the three generating objects. We have 
already motivated focusing on string diagrams with no open red wires so that 
the objects we care about are lists of » and <. The following proposition implies 
that, without loss of generality, for the proof of completeness we can restrict 
further to left-to-right diagrams (Section[4.2}. 


Proposition 8. There is a natural bijection between sets of string diagrams of the form 


Ai Bı Ai By 
=| Gs + a where Aj, Bi represent lists of » and q. 


Proposition[§}tell us that we can always bend the incoming wires to the left and 
outgoing wires to the right before applying some equations, and recover the 
original orientation of the wires by bending them into their original place later. 


A String Diagrammatic Axiomatisation of Finite-State Automata 483 


5.1 Determinisation 


In diagrammatic terms, a nondeterministic transition of the automaton asso- 
ciated to (a representation of) a given diagram, corresponds to a subdiagram 


of the form ee for some a € &. Clearly, using the definition of —@— := 


[a)}— 
Ea in (6) and the axiom + C 2 ae ue we have «<a = 


DL, which will prove to be the engine of our determinisation procedure, 


along with the fact that any red expression can be copied and deleted. The next 
two theorems generalise the ability to copy and delete to arbitrary left-to-right 
diagrams. 


Theorem 2. For any left-to-right diagram d : >™"—»”", we have 


ñ ( d ) : n 
m (cry) m m n (del) m 
n = = > > = e 
(Àn 
d 
Na 
m 
m 
d n (co-cpy) n n (co-del) m n 
= e os 
m 
> d 


For d : "+p", let dj; be the string diagram of type » +» obtained by compos- 
ing every input with e+ except the ith one, and every output with ——e except 
the jth one. Theorem [2|implies that string diagrams are fully characterised by 
their » +» subdiagrams. 

Corollary 1. Given d,e: >">", d =xpa € iff dij =KDA eij, for all1 < i < mand 
lesjaan 

Thus, we can restrict our focus further to left-to-right » >» diagrams, without 
loss of generality. We are now able to devise a determinisation procedure for 
representation of diagrams, which we illustrate below on a simple example. 


Proposition 9 (Determinisation). Any diagram »—>» has a deterministic repre- 
sentation. 


Example 2. 
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Dealing with useless states. Notice that our deterministic form is partial and that 
the determinisation procedure disregards useless states, i.e., parts of a string di- 
agram that do not reach an output wire. None of these contribute to the seman- 
tics of the diagram and can be safely eliminated using Theorem|[2|(del)-(co-del). 


5.2 Minimisation and completeness 


As explained above, our proof of completeness is a diagrammatic reformulation 
of Brzozowski’s algorithm which proceeds in four steps: determinise, reverse, 
determinise, reverse. We already know how to determinise a given diagram. 
The other three steps are simply a matter of looking at string diagrams differ- 
ently and showing that all the equations that we needed to determinise them, 
can be performed in reverse. 

We say that a matrix-diagram is co-deterministic if the converse of its associ- 
ated transition relation is deterministic. 


Proof ( Theorem|1]( Completeness)). We have a procedure to show that, if [d] = [el], 
then there exists a string diagram f in normal form such that d = f = e. This 
normal form is the diagrammatic counterpart of the minimal automaton asso- 
ciated to d and e. In our setting, it is the deterministic representation equal to 
d and e with the smallest number of states. This is unique because we can ob- 
tain from it the corresponding minimal automaton, which is well-known to be 
unique. First, given any string diagram we can obtain a representation for it 
by Proposition [6] Then we obtain a minimal representation by splitting Brzo- 
zowski’s algorithm in two steps. 


1. Reverse; determinise; reverse. A close look at the determinisation procedure 
shows that, at each step, the required laws all hold in reverse. For example, 
we can replace every instance of (cpy) with (co-cpy). We can thus define, 
in a completely analogous manner, a co-determinisation procedure which 
takes care of the first three steps of Brzozowski’s algorithm, and obtain a 
co-deterministic representation for the given diagram. 

2. Determinise. By applying Proposition 9} we can obtain a deterministic rep- 
resentation for the co-deterministic representation of the previous step. The 
result is the desired minimal representation and normal form. 


6 Discussion 


In this paper, we have given a fully diagrammatic treatment of finite-state au- 
tomata, with a finite equational theory that axiomatises them up to language 
equivalence. We have seen that this allows us to decompose the regular opera- 
tions of Kleene algebra, like the star, into more primitive components, resulting 
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in greater modularity. In this section, we compare our contributions with re- 
lated work, and outline directions for future research. 

Traditionally, computer scientists have used syntax or railroad diagrams to 
visualise regular expressions and context-free grammars [41]. These diagrams 
resemble our very closely but have remained mostly informal More recently, 
Hinze has treated the single input-output case rigorously as a pedagogical tool 
to teach the correspondence between finite-state automata and regular expres- 
sions [18]. He did not, however, study their equational properties. 

Bloom and Esik’s iteration theories provide a general categorical setting in 
which to study the equational properties of iteration for a broad range of struc- 
tures that appear in programming languages semantics [5]. They are cartesian 
categories equipped with a parameterised fixed-point operation closely related 
to the feedback notion we have used to represent the Kleene star. However, the 
monoidal category of interest in this paper is compact-closed (only the full sub- 
category over »> and < to be precise), a property that is incompatible with the 
existence of categorical products (any category that has both collapses to a pre- 
order [30]). Nevertheless, the subcategory of left-to-right diagrams (Section|4.2) 
is a (matrix) iteration theory [6], a structure that Bloom and Esik have used to 
give an (infinitary) axiomatisation of regular languages [4]. 

Similarly, Stefanescu’s work on network algebra provides a unified algebraic 
treatment of various types of networks, including finite-state automata [39]. In 
general, network algebras are traced monoidal categories where the product is 
not necessarily cartesian, and therefore more general than iteration theories. In 
both settings however, the trace is a global operation, that cannot be decom- 
posed further into simpler components. In our work, on the other hand, the 
trace can be defined from the compact-closed structure, as was depicted in (3). 

Note that the compact closed subcategory in this paper can be recovered 
from the traced monoidal category of left-to-right diagrams, via the Int construc- 
tion [22]. Therefore, as far as mathematical expressiveness is concerned, the two 
approaches are equivalent. However, from a methodological point of view, tak- 
ing the compact closed structure as primitive allows for improved composition- 
ality, as example in the introduction illustrates. Furthermore, the compact 
closed structure can be finitely presented relative to the theory of symmetric 
monoidal categories, whereas the trace operation cannot. This matters greatly 
in this paper, where finding a finite axiomatisation is our main concern. 

Finally, the idea of treating regular expressions as a free structure acting on 
a second algebraic structure also appeared in Pratt’s dynamic algebras, which 
axiomatise the propositional fragment of dynamic modal logic [34]. Like our 
formalism, the variety of dynamic algebras is finitely-based. But they assume 
more structure: the second algebraic structure is a Boolean algebra. 

In all the formalisms we have mentioned, the difficulty typically lies in cap- 
turing the behaviour of iteration—whether as the star in Kleene algebra [26)4], 
or a trace operator [5] in iteration theory and network algebra [89]. The axioms 
should be coercive enough to force it to be the least fixed-point of the language 
map L ++ {e} U LK. In Kozen’s axiomatisation of Kleene algebra for exam- 
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ple, this is through (a) the axiom 1 + ee* < e* (star is a fixpoint) and (b) the Horn 
clause f +ex <x = e*f < x (star is the least fixpoint). In our work, (a) is a con- 
sequence of the unfolding of the star into a feedback loop and can be derived 
from the other axioms. (b) is more subtle, but can be seen as a consequence 
of (D1)-(D4) axioms. These allows us to (co)copy and (co)delete arbitrary di- 
agrams (Theorem [2} and we conjecture that this is what forces the star to be 
a single definite value, not just any fixed-point, but the least one. Making this 
statement precise is the subject of future work. 


The difficulty in capturing the behaviour of fixed-points is also the reason 
why we decided to work with an additional red wire, to encode the action of 
regular expressions on the set of languages—without it, global (co)copying and 
(co)deleting (Theorem[2) cannot be reduced to the local (D1)-(D4) axioms. There 
is another route, that leads to an infinitary axiomatisation: we could dispense 
with the red generators altogether and take -{— (for a € X) as primitive in- 
stead, with global axioms to (co)copy and (co)delete arbitrary diagrams. This 
would pave the way for a reformulation of our work in the context of iteration 
(matrix) theories, where the ability to (co)copy and (co)delete arbitrary expres- 
sions is already built-in. We leave this for future work. 


There is an intriguing parallel between our case study and the positive frag- 
ment of relation algebra (also known as allegories [16]). Indeed, allegories, like 
Kleene algebra, do not admit a finite axiomatisation [16]. However, this result 
holds for standard algebraic theories. It has been shown recently that a structure 
equivalent to allegories can be given a finite axiomatisation when formulated 
in terms of string diagrams in monoidal categories [9]. It seems like the greater 
generality of the monoidal setting—algebraic theories correspond precisely to 
the particular case of cartesian monoidal categories [11]—allows for simpler 
axiomatisations in some specific cases. In the future we would like to under- 
stand whether this phenomenon, of which now we have two instances, can be 
understood in a general context. 


Lastly, extensions of Kleene Algebra, such as Concurrent Kleene Algebra 
(CKA) [19/23] and NetKAT [I], are increasingly relevant in current research. 
Enhancing our theory =xp4 to encompass these extensions seems a promis- 
ing research direction, for two main reasons. First, the two-dimensional na- 
ture of string diagrams has been proven particularly suitable to reason about 
concurrency (see e.g. [7]38]), and more generally about resource exchange be- 
tween processes (see e.g. [10J13/21]3)8]). Second, when trying to transfer the 
good meta-theoretical properties of Kleene Algebra (like completeness and de- 
cidability) to extensions such as CKA and NetKAT, the cleanest way to proceed 
is usually in a modular fashion. The interaction between the new operators of 
the extension and the Kleene star usually represents the greatest challenge to 
this methodology. Now, in =xpa, the Kleene star is decomposable into simpler 
components (see (3)) and there is only one specific axiom (C5) governing its 
behaviour. We believe this is a particularly favourable starting point to modu- 
larise a meta-theoretic study of CKA and NetKAT with string diagrams, taking 
advantage of the results we presented in this paper for finite-state automata. 


A String Diagrammatic Axiomatisation of Finite-State Automata 487 


References 


1. 


22. 


Anderson, C.J., Foster, N., Guha, A., Jeannin, J.B., Kozen, D., Schlesinger, C., Walker, 
D.: Netkat: semantic foundations for networks. ACM SIGPLAN Notices 49(1), 113- 
126 (2014) 

Arden, D.N.: Delayed-logic and finite-state machines. In: 2nd Annual Symposium 
on Switching Circuit Theory and Logical Design (SWCT 1961). pp. 133-151. IEEE 
(1961) 

Baez, J.C., Fong, B.: A compositional framework for passive linear networks. Theory 
& Applications of Categories 33 (2018) 

Bloom, S.L., Esik, Z.: Equational axioms for regular sets. Mathematical structures in 
computer science 3(1), 1-24 (1993) 

Bloom, S.L., Esik, Z.: Iteration theories. Springer (1993) 

Bloom, S.L., Esik, Z.: Matrix and matricial iteration theories. Journal of Computer 
and System Sciences 46(3), 381-439 (1993) 

Bonchi, F., Holland, J., Piedeleu, R., Sobociński, P., Zanasi, F.: Diagrammatic alge- 
bra: from linear to concurrent systems. In: Proceedings of the 46th Annual ACM 
SIGPLAN Symposium on Principles of Programming Languages (POPL) (2019) 
Bonchi, F., Piedeleu, R., Sobociński, P., Zanasi, F.: Graphical affine algebra. In: Pro- 
ceedings of the 34th Annual ACM/IEEE Symposium on Logic in Computer Science 
(LICS) (2019) 

Bonchi, F., Seeber, J., Sobocinski, P.: Graphical conjunctive queries. In: 27th Annual 
EACSL Conference Computer Science Logic, (CSL). vol. 119 (2018) 

Bonchi, F., Sobociński, P., Zanasi, F.: The calculus of signal flow diagrams I: linear 
relations on streams. Information and Computation 252, 2-29 (2017) 


. Bonchi, F., Sobociński, P., Zanasi, F.: Deconstructing Lawvere with distributive laws. 


Journal of logical and algebraic methods in programming 95, 128-146 (2018) 
Brzozowski, J.A.: Canonical regular expressions and minimal state graphs for defi- 
nite events. Mathematical theory of Automata 12(6), 529-561 (1962) 

Coecke, B., Kissinger, A.: Picturing Quantum Processes - A first course in Quantum 
Theory and Diagrammatic Reasoning. Cambridge University Press (2017) 

Conway, J.H.: Regular algebra and finite machines. Courier Corporation (2012) 
Fong, B., Spivak, D.I.: Seven sketches in compositionality: An invitation to applied 
category theory. arXiv:1803.05316 (2018) 

Freyd, P.J., Scedrov, A.: Categories, allegories. Elsevier (1990) 

Hasegawa, M.: Recursion from cyclic sharing: traced monoidal categories and mod- 
els of cyclic lambda calculi. In: Proceedings of the Third International Conference on 
Typed Lambda Calculi and Applications (TLCA). pp. 196-213. Springer (1997) 
Hinze, R.: Self-certifying railroad diagrams. In: International Conference on Mathe- 
matics of Program Construction (MPC). pp. 103-137. Springer (2019) 

Hoare, C., Möller, B., Struth, G., Wehrman, I.: Concurrent Kleene algebra. In: Pro- 
ceedings of the 20th International Conference on Concurrency Theory (CONCUR). 
pp. 399-414. Springer (2009) 


. Hyland, M., Schalk, A.: Glueing and orthogonality for models of linear logic. Theo- 


retical Computer Science 294(1-2), 183-231 (2003) 


. Jacobs, B., Kissinger, A., Zanasi, F.: Causal inference by string diagram surgery. In: 


Proceedings of the 22nd International Conference on Foundations of Software Sci- 
ence and Computation Structures (FOSSACS). pp. 313-329. Springer (2019) 

Joyal, A., Street, R., Verity, D.: Traced monoidal categories. In: Mathematical Pro- 
ceedings of the Cambridge Philosophical Society. vol. 119, pp. 447—468. Cambridge 
University Press (1996) 


488 


23. 


24. 


25. 


26. 


27. 


28. 


29. 


30. 


31. 


32. 


33. 


34. 


35: 


36. 


37. 


38. 


39. 


40. 


41. 
42. 


R. Piedeleu and F. Zanasi 


Kappé, T., Brunet, P., Silva, A., Zanasi, F.: Concurrent Kleene algebra: Free model and 
completeness. In: Proceedings of the 27th European Symposium on Programming 
(ESOP) (2018) 

Kelly, G.M., Laplaza, M.L.: Coherence for compact closed categories. Journal of Pure 
and Applied Algebra 19, 193-213 (1980) 

Kleene, S.C.: Representation of events in nerve nets and finite automata. Tech. rep., 
RAND PROJECT AIR FORCE SANTA MONICA CA (1951) 

Kozen, D.: A completeness theorem for Kleene algebras and the algebra of regular 
events. Information and Computation 110(2), 366-390 (1994) 

Kozen, D.: Kleene algebra with tests. ACM Transactions on Programming Lan- 
guages and Systems (TOPLAS) 19(3), 427—443 (1997) 

Krob, D.: Complete systems of B-rational identities. Theoretical Computer Science 
89(2), 207-343 (1991) 

Lack, S.: Composing PROPs. Theory and Application of Categories 13(9), 147-163 
(2004) 

Lambek, J., Scott, P.J.: Introduction to higher-order categorical logic, vol. 7. Cam- 
bridge University Press (1988) 

McCulloch, W.S., Pitts, W.: A logical calculus of the ideas immanent in nervous ac- 
tivity. The bulletin of mathematical biophysics 5(4), 115-133 (1943) 

Moshier, A.M.: Coherence for categories of posets with applications. Topology, Al- 
gebra and Categories in Logic (TACL) p. 214 (2015) 

Piedeleu, R., Zanasi, F.: A string diagrammatic axiomatisation of finite-state au- 
tomata. arXiv:2009.14576 (2020) 

Pratt, V.: Dynamic algebras as a well-behaved fragment of relation algebras. In: Pro- 
ceedings of the International Conference on Algebraic Logic and Universal Algebra 
in Computer Science. pp. 77-110. Springer (1988) 

Redko, V.N.: On defining relations for the algebra of regular events. Ukrainskii 
Matematicheskii Zhurnal 16, 120-126 (1964) 

Selinger, P.: A survey of graphical languages for monoidal categories. Springer Lec- 
ture Notes in Physics 13(813), 289-355 (2011) 

Smolka, S., Foster, N., Hsu, J., Kappé, T., Kozen, D., Silva, A.: Guarded Kleene al- 
gebra with tests: verification of uninterpreted programs in nearly linear time. Pro- 
ceedings of the 47th ACM SIGPLAN Symposium on Principles of Programming 
Languages (POPL) 4, 1-28 (2020) 

Sobociński, P., Montanari, U., Melgratti, H., Bruni, R.: Connector algebras for C/E 
and P/T nets’ interactions. Logical Methods in Computer Science 9 (2013) 
Stefanescu, G.: Network Algebra. Discrete Mathematics and Theoretical Computer 
Science, Springer London (2000) 

Thompson, K.: Programming techniques: Regular expression search algorithm. 
Communications of the ACM 11(6), 419-422 (1968) 

Wirth, N.: The programming language pascal. Acta informatica 1(1), 35-63 (1971) 
Zanasi, F.: Interacting Hopf Algebras: the theory of linear systems. Ph.D. thesis, 
Ecole Normale Supérieure de Lyon (2015) 


A String Diagrammatic Axiomatisation of Finite-State Automata 489 


Open Access This chapter is licensed under the terms of the Creative Commons 
Attribution 4.0 International License (http: //creativecommons.org/licenses/ 
by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any 
medium or format, as long as you give appropriate credit to the original author(s) and 
the source, provide a link to the Creative Commons license and indicate if changes were 
made. 

The images or other third party material in this chapter are included in the chapter’s 
Creative Commons license, unless indicated otherwise in a credit line to the material. If 
material is not included in the chapter’s Creative Commons license and your intended 
use is not permitted by statutory regulation or exceeds the permitted use, you will need 
to obtain permission directly from the copyright holder. 


®) 


Check for 
updates 


Work-sensitive Dynamic Complexity of Formal 
Languages” 


Jonas Schmidt (&)', Thomas Schwentick!, Till Tantau?, Nils Vortmeier?, and 
Thomas Zeume* 


1 TU Dortmund University, Dortmund, Germany 
{jonas2.schmidt, thomas.schwentick}@tu-dortmund.de 
2 Universitit zu Lübeck, Lübeck, Germany 
tantau@tcs.uni-luebeck.de 
3 University of Zurich, Zurich, Switzerland 
nils.vortmeier@uzh.ch 
4 Ruhr University Bochum, Bochum, Germany 
thomas .zeume@rub.de 


Abstract. Which amount of parallel resources is needed for updating a 
query result after changing an input? In this work we study the amount of 
work required for dynamically answering membership and range queries 
for formal languages in parallel constant time with polynomially many 
processors. As a prerequisite, we propose a framework for specifying dy- 
namic, parallel, constant-time programs that require small amounts of 
work. This framework is based on the dynamic descriptive complexity 
framework by Patnaik and Immerman. 


Keywords: Dynamic complexity - work - parallel constant time. 


1 Introduction 


Which amount of parallel resources is needed for updating a query result after 
changing an input, in particular if we only want to spend constant parallel time? 

In classical, non-dynamic computations, parallel constant time is well under- 
stood. Constant time on CRAMs, a variant of CRCW-PRAMs used by Immer- 
man [15], corresponds to constant-depth in circuits, so, to the circuit class AC’, 
as well as to expressibility in first-order logic with built-in arithmetic (see, for 
instance, the books of Immerman [15] Theorem 5.2] and Vollmer [26] Theorems 
4.69 and 4.73]). Even more, the amount of work, that is, the overall number of 
operations of all processors, is connected to the number of variables required by 
a first-order formula Theorem 5.10]. 

However, the work aspect of constant parallel time algorithms is less under- 
stood for scenarios where the input is subject to changes. To the best of our 
knowledge, there is only little previous work on constant-time PRAMs in dy- 
namic scenarios. A notable exception is early work showing that spanning trees 
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and connected components can be computed in constant time by CRCW-PRAMs 
with O(n*) and O(n?) processors, respectively [24]. 

In an orthogonal line of research, parallel dynamic constant time has been 
studied from a logical perspective in the dynamic complexity framework by Pat- 
naik and Immerman [20] and Dong, Su, and Topor [76]. In this framework, the 
update of query results after a change is expressed by first-order formulas. The 
formulas may refer to auxiliary relations, whose updates in turn are also specified 
by first-order formulas (see Section [3] for more details). The queries maintainable 
in this fashion constitute the dynamic complexity class DynFO. Such queries can 
be updated by PRAMs in constant time with a polynomial number of proces- 
sors. In this line of work, the main focus in recent years has been on proving that 
queries are in DynFO, and thus emphasised the constant time aspect. It has, for 
instance, been shown that all context-free languages [II] and the reachability 
query [5] are in DynFO. 

However, if one tries to make the “DynFO approach” for dynamic problems 
relevant for practical considerations, the work that is needed to carry out the 
specified updates, hence the work of a parallel algorithm implementing them, is 
a crucial factor. The current general polynomial upper bounds are too coarse. In 
this paper, we therefore initiate the investigation of more work-efficient dynamic 
programs that can be specified by first-order logic and that can therefore be 
carried out by PRAMs in constant time. To do so, we propose a framework for 
specifying such dynamic, parallel, constant-time programs, which is based on 
the DynFO framework, but allows for more precise (and better) bounds on the 
necessary work of a program. 


Goal 1.1. Extend the formal framework of dynamic complexity towards the con- 
sideration of parallel work. 


Towards this goal, we link the framework we propose to the CRAM framework in 
Section [8] In fact, the new framework also takes a somewhat wider perspective, 
since it does not focus exclusively at one query under a set of change operations, 
but rather considers dynamic problems that may have several change and query 
operations (and could even have operations that combine the two). Therefore, 
from now on we speak about dynamic problems and not about (single) queries. 


Goal 1.2. Find work-efficient DynFO-programs for dynamic problems that are 
known to be in DynFO (but whose dynamic programs? | are not competitive, work- 
wise). 


Ideally we aim at showing that dynamic problems can be maintained in 
DynFO with sublinear or even polylogarithmic work. One line of attack for this 
goal is to study dynamic algorithms and to see whether they can be transformed 
into parallel O(1)-time algorithms with small work. There is a plethora of work 


5 In the field of dynamic complexity the term “dynamic program” is traditionally used 
for the programs for updating the auxiliary data after a change. The term should not 
be confused with the “dynamic programming” technique used in algorithm design. 
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that achieves polylogarithmic sequential update time (even though, sometimes 
only amortised), see for instance [3J9[[2/13]. For many of these problems, it is 
known that they can be maintained in constant parallel time with polynomial 
work, e.g. as mentioned above, it has been shown that connectivity and mainte- 
nance of regular (and even context-free) languages is in DynFO. 

In this paper, we follow this approach for dynamic string problems, more 
specifically, dynamic problems that allow membership and range queries for reg- 
ular and context-free languages. Our results can be summarised as follows. 

We show in Section [5] that regular languages can be maintained in constant 
time with O(n‘) work for all e > 0 and that for star-free languages even work 
O(logn) can be achieved. These results hold for range and membership queries. 

For context-free languages, the situation is not as nice, as we observe in 
Section [6] We show that subject to a well-known conjecture, we cannot hope for 
maintaining membership in general context-free languages in DynFO with less 
than O(n'37-*) work. The same statement holds even for the bound O(n?~*) 
and “combinatorial dynamic programs”. For Dyck languages, that is, sets of well- 
formed strings of parentheses, we show that this barrier does not apply. Their 
membership problem can be maintained with O(n(log n)*) work in general, and 
with polylogarithmic work if there is only one kind of parentheses. By a different 
approach, range queries can be maintained with work O(n'**) in general, and 
O(n‘) for one parenthesis type. 

Related work. A complexity theory of incremental time has been developed 
in [19]. We discuss previous work on dynamic complexity of formal languages in 


Sections B] and [6] 


2 Preliminaries 


Since dynamic programs are based on first-order logic, we represent inputs like 
graphs and strings as well as “internal” data structures as logical structures. 

A schema 7 consists of a set of relation symbols and function symbols with 
a corresponding arity. A constant symbol is a function symbol with arity 0. A 
structure D over schema T with finite domain D has, for every k-ary relation 
symbol R € 7, a relation RP C D*, as well as a function fP: D* — D for every 
k-ary function symbol f € r. We allow partially defined functions and write 
f?(a@) = L if fP is not defined for @ in D. Formally, this can be realized using 
an additional relation that contains the domain of fP. We occasionally also use 
functions fP: D* + D° for some £ > 1. Formally, such a function represents £ 
functions fP,..., fP: Dt + D with f?(a)= (FP (a),...,fP@). 

Throughout this work, the structures we consider provide a linear order < 
on their domain D. As we can thus identify D with an initial sequence of the 
natural numbers, we usually just assume that D = [n] = {0,...,n—1} for some 
natural number n. 

We assume familiarity with first-order logic FO, and refer to for basics of 
Finite Model Theory. In this paper, unless stated otherwise, first-order formulas 
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always have access to a linear order on the domain, as well as compatible func- 
tions + and x that express addition and multiplication, respectively. This holds 
in particular for formulas in dynamic programs. We use the following “if-then- 
else” construct: if y is a formula, and tı and tg are terms, then ITE(y, t1, t2) is 
a term. Such a term evaluates to the result of tı if ọ is satisfied, otherwise to tə. 

Following , we encode words of length (at most) n over an alphabet X by 
word structures, that is, as relational structures W with universe {0,...,n—1}, 
one unary relation Ro for each symbol ø € X and the canonical linear order < on 
{0,... n — 1}. We only consider structures for which, for every position i, R, (7) 
holds for at most one o € X and write W (i) = o if Ro(i) holds and W (i) = e if 
no such o exists. We write word(W) for the word represented by W, that is, the 
concatenation w = W(0)o...oW(n—1). As an example, the word structure Wo 
with domain {0,1,2,3}, W(1) =a, W(3) = b and W(0) = W(2) = e€ represents 
the string ab. We write word(W)[£, r] for the word W(£)0...0 W(r). 

Informally, a dynamic problem can be seen as a data type: it consists of some 
underlying structure together with a set A of operations. We distinguish between 
change operations that can modify the structure and query operations that yield 
information about the structure, but combined operations could be allowed, as 
well. Thus, a dynamic problem is characterised by the schema of its underlying 
structures and the operations that it supports [f] 

In this paper, we are particularly interested in dynamic language problems, 
defined as follows. Words are represented as word structures W with elementary 
change operations SET, (i) (with the effect that W (i) becomes ø if it was € before) 
and RESET(?) (with the effect that W (i) becomes e). 

For some fixed language L over some alphabet X, the dynamic problem 
RANGEMEMBER(L) further supports one query operation RANGE(£, r). It yields 
the result true, if word(W)[@,7] is in L, and otherwise false. 

In the following, we denote a word structure W as a sequence wo...Wn—1 
of letters with w; € X U {e} in order to have an easier, less formal notation. 
Altogether, the dynamic problem RANGEMEMBER(L) is defined as follows. 


Problem: RANGEMEMBER(L) 
Input: A sequence w = wo... Wn—1 of letters with w; E€ X U {e} 
Changes: SET, (i) for o € X: Sets w; to g, if wi = € 
RESET(i): Sets w; to € 
Queries: RANGE(l, r): Is weo---ow, € L? 


In this example, the query RANGE maps (binary) pairs of domain elements to a 
truth value and thus defines a (binary) relation over the universe of the input 
word structure. We call such a query relational. We will also consider functional 
queries mapping tuples of elements to elements. 

Another dynamic problem considered here is MEMBER(L) which is defined 
similarly as RANGEMEMBER(L) but instead of RANGE only has the Boolean 
query operation MEMBER that yields true if wo 0... o Wn—1 E€ L holds. 


ê This view is a bit broader than the traditional setting of Dynamic Complexity, where 
there can be various change operations but usually only one fixed query is supported. 
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3 Work-sensitive Dynamic Complexity 


Since we are interested in the work that a dynamic program does, our specifica- 
tion mechanism for dynamic programs is considerably more elaborated than the 
one used in previous papers on dynamic complexity. We introduce the mecha- 
nism in this section in two steps. First the general form of dynamic programs 
and then a more pseudo-code oriented syntax. Afterwards, we discuss how these 
dynamic programs translate into work-efficient constant-time parallel programs. 


3.1 The Dynamic Complexity Framework 


Our general form of dynamic programs mainly follows [23], but is adapted to the 
slightly broader view of a dynamic problem as a data type. For a more gentle 
introduction to dynamic complexity, we refer to [22]. 

The goal of a dynamic program for a dynamic problem J is to support all 
its operations A. To do so, it stores and updates an auxiliary structure A over 
some schema, Taux, Over the same domain as the input structure Z for M. 

A (first-order) dynamic program P consists of a set of (first-order) update 
rules for change operations and query rules for query operations. More precisely, 
a program has one query rule over schema Taux per query operation that speci- 
fies how the (relational) result of that operation is obtained from the auxiliary 
structure. Furthermore, for each change operation 6 € A, it has one update 
rule per auxiliary relation or function that specifies the updates after a change 
based on ô. 

A query rule is of the form on query Q(p) yield yg(p), where yq is the 
(first-order) query formula with free variables from p. 

An update rule for a k-ary auxiliary relation R is of the form 


on change 6(p) update R at (t1(p;Z),...,tx(p;£)) as p£ (p; z) where C(z). 


Here, yË is the (first-order) update formula, t1,...,t, are first-order terms (pos- 
sibly using the ITE construct) over Taux, and C(Z), called a constraint for the 
tuple = x,...,x¢ of variables, is a conjunction of inequalities x; < f;(n) using 
functions fi: N —> N, where n is the size of the domain and 1 < i < 4. We 
demand that all functions f; are first-order definable from + and x. 

The effect of such an update rule after a change operation 6(@) is as follows: 
the new relation R^ in the updated auxiliary structure A’ contains all tuples 
from R^ that are not equal to (t1(a;b),...,t,(a;)) for any tuple b that satisfies 
the constraints C; and additionally R“’ contains all tuples (t: (ā; b), .. . , ty (ā; b)) 
such that b satisfies C and A |= pẸ (a;b) holds. 

Phrased more operationally, an update is performed by enumerating all tu- 
ples b that satisfy C, evaluating pf (a;b) on the old auxiliary structure A, and 
depending on the result adding the tuple (t,(@;b),...,t,(@;b)) to R (if it was 
not already present), or removing that tuple from R (if it was present). 

Update rules for auxiliary functions are similar, but instead of an update 
formula that decides whether a tuple of the form (t,(a;b),...,t,(G;6)) is con- 
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tained in the updated relation, it features an update term that determines the 
new function value for a function argument of the form (tı (ā; b), ... , ta (ā; b)). 

We say that P is a dynamic program for a dynamic problem J if it sup- 
ports all its operations and, in particular, always yields correct results for query 
operations. More precisely, if the result of applying a query operation after a 
sequence a of change operations on an initial structure Zp yields the same result 
as the evaluation of the query rule on the auxiliary structure that is obtained by 
applying the update rules corresponding to the change operations in a to an ini- 
tial auxiliary structure Ao. Here, an initial input structure Zp over some domain 
D is empty, that is, it is a structure with empty relations and with all function 
values being undefined (L). The initial auxiliary structure Ap is over the same 
domain D as Zp and is defined from Zp by some FO-definable initialization. 

By DynFO, we denote the class of all dynamic problems that have a dynamic 
program in the sense we just defined. 


3.2 A syntax for work-efficient dynamic programs 


In this paper we are particularly interested in dynamic programs that require 
little work to update the auxiliary structure after every change operation and to 
compute the result of a query operation. However, since dynamic programs do 
not come with an execution model, there is no direct way to define, say, when a 
DynFO-programs has polylogarithmic-work, syntactically. 

We follow a pragmatic approach here. We define a pseudo-code-based syntax 
for update and query procedures that will be used in place of the update and 
query formulas in rules of dynamic programs. This syntax has three important 
properties: (1) it is reasonably well readable (as opposed to strict first-order 
logic formulas), (2) it allows a straightforward translation of rules into proper 
DynFO-programs, and (3) it allows to associate a “work-bounding function” to 
each rule and to translate it into a PRAM program with O(1) parallel time and 
work bounded by this function. 

The syntax of the pseudo-code has similarities with Abstract State Ma- 
chines [4| and the PRAM-syntax of [16]. For simplicity, we describe a minimal 
set of syntactic elements that suffice for the dynamic programs in this paper. 
We encourage readers to have a look at Section B] for examples of update rules 
with pseudo-code syntax. 

We only spell out a syntax for update procedures that can be used in place 
of the update formula y?(p; T) of an update rule 


on change 6(p) update R at (t1(p;Z),...,tx(p;£)) as yi (p; z) where C(z). 


Query procedures are defined similarly, but they can not invoke any change 
operations for supplementary instances, and their only free variables are from p. 

We allow some compositionality: a dynamic program on some main instance 
can use supplementary instances of other dynamic problems and invoke change 
or query operations of other dynamic programs on those instances. These sup- 
plementary instances are declared on a global level of the dynamic program and 
each has an associated identifier. 
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Update procedures P = P}; P} consist of two parts. In the initial procedure 
P, no reference to the free variables from Z are allowed, but change operations 
for supplementary instances can be invoked. We require that, for each change 
operation 6 of the main instance and each supplementary instance S, at most 
one update rule for ô invokes change operations for S. 

In the main procedure P2, no change operations for supplementary instances 
can be invoked, but references to g are allowed. 

More precisely, both P; and P can use (a series of) instructions of the 
following forms: 


— assignments f(y) < term of a function value, 

assignments R(y) + condition of a Boolean value, 
conditional branches if condition then P’ else P”, and 
— parallel branches for z < g(n) pardo P’. 


Semantically, here and in the following n always refers to the size of the 
domain of the main instance. The initial procedure P, can further use change 
invocations instance.d(y). However, they are not allowed in the scope of parallel 
branches. And we recall that in P; no variables from Z can be used. 

The main procedure P» can further use return statements return condition 
or return term, but not inside parallel branches. 

Of course, initial procedures can only have initial procedures P’ and P” in 
conditional and parallel branches, and analogously for main procedures. 

Conditions and terms are defined as follows. In all cases, y denotes a tuple 
of terms and z is a local variable, not occurring in p or 7. In general, a term 
evaluates to a domain element (or to L). It is built from 


— local variables and variables from p and 7, 

— function symbols from Taux and previous function assignments, 
— if-then-else terms if condition then term’ else term”, 

— functional queries instance.Q(y), and 

— expressions get Unique(z < g(n) | condition). 


For the latter expression it is required that there is always exactly one domain 
element a < g(n) satisfying condition. 
A condition evaluates to true or false. It may be 


— an atomic formula with relation symbols from Taux or previous assignments, 
with terms as above, 

— an expression exists(z < g(n) | condition), 

— a relational query instance.Q(y) with terms gy, and 

— a Boolean combination of conditions. 


All functions g: N > N in these definitions are required to be FO-definable. 
For assignments of relations R and functions f we demand that these symbols 
do not appear in Taux. If an assignment with a head f(%) or R(¥) occurs in the 
scope of a parallel branch that binds variable z, then z has to occur as a term y; 
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in y. We further demand that update procedures are well-formed, in the sense 
that every execution path ends with a return statement of appropriate type. 
In our pseudo-code algorithms, we display update procedures P = P,; P> 
with initial procedure P) and main procedure P> as 
on change ô(p) with P, 
update R at (t1(p,Z),...,tx(p,Z)), for all C(Z), by: Po. 


to emphasise that Pı only needs to be evaluated once for the update of R, and 
not once for every different value of 7. 
In a nutshell, the semantics of an update rule 


on change 6(p) update R at (t)(p;Z),...,t,(p;Z)) as P where C(z) 


is defined as in Subsection but A y%(a,b) has to be replaced by the 
condition that P returns true under the assignment (p++ G@;Z > b). 

For update rules for auxiliary functions, P returns the new function value 
instead of a Boolean value. 

Since P, is independent of g, in the semantics, it is only evaluated once. In 
particular, any change invocations are triggered only once. 

With Procedural-DynFO-programs we refer to the above class of dynamic 
update programs. Here and later we will introduce abbreviations as syntactic 
sugar, for example the sequential loop for z < m do P, where m € N needs to 
be a fixed natural number. 

We show next that update and query procedures can be translated into 
constant-time CRAM programs. Since the latter can be translated into FO- 
formulas [14] Theorem 5.2], therefore Procedural-DynFO-programs can be trans- 
lated in DynFO-programs. 


3.3 Implementing Procedural-DynFO-programs as PRAMs 


We use Parallel Random Access Machines (PRAMs) as the computational model 
to measure the work of our dynamic programs. A PRAM consists of a number 
of processors that work in parallel and use a shared memory. We only consider 
CRAMs, a special case of Concurrent-Read Concurrent-Write model (CRCW 
PRAM), i.e. processors are allowed to read and write concurrently from and 
to the same memory location, but if multiple processors concurrently write the 
same memory location, then all of them need to write the same value. For an 
input of size n we denote the time that a PRAM algorithm needs to compute 
the solution as T(n). The work W(n) of a PRAM algorithm is the sum of the 
number of all computation steps of all processors made during the computation. 
For further details we refer to [[4[16]. 

It is easy to see that Procedural-DynFO programs P can be translated into 
O(1)-time CRAM-programs C. To be able to make a statement about (an upper 
bound of) the work of C, in the full version of this paper we associate a function 
w with update rules and show that every update rule m can be implemented by 
a O(1)-time CRAM-program with work O(w). Likewise for query rules. 
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In a nutshell, the work of an update procedure mainly depends on the scopes 
of the (nested) parallel branches and the amount of work needed to query and 
update the supplementary instances. The work of a whole update rule is then 
determined by adding the work of the initial procedure once and adding the 
work of the main procedure for each tuple that satisfies the constraint of the 
update rule. 


4 A simple work-efficient Dynamic Program 


In this section we consider a simple dynamic problem with a fairly work-efficient 
dynamic program. It serves as an example for our framework but will also be 
used as a subroutine in later sections. 

The dynamic problem is to maintain a subset K of an ordered set D of 
elements under insertion and removal of elements in K, allowing for navigation 
from an element of D to the next larger and smaller element in K. That is, we 
consider the following dynamic problem: 


Problem: NEXTINK 
Input: A set K C D with canonical linear order < on D 
Changes: INS(7): Inserts i € D into K 
DEL(i): Deletes i € D from K 
Queries: PRED(i): Returns predecessor of i in K, i.e. max{j € K |i >j} 
succ(i): Returns successor of i in K, i.e. min{j € K | i < j} 


For the smallest (largest) element the result of a PRED (SUCC) query is unde- 
fined, i.e. L. For simplicity, we assume in the following that D is always of the 
form [n], for some n € N. 

Sequentially, the changes and queries of NEXTINK can be handled in sequen- 
tial time O(loglogn) [9]. Here we show that the problem also has a dynamic 
program with parallel time O(1) and work O(log n). 


Lemma 4.1. There is a DynFO-program for NEXTINK with O(log n) work per 
change and query operation. 


Proof. The dynamic program uses an ordered binary balanced tree T with leave 
set [n], and with 0 as its leftmost leaf. Each inner node v represents the interval 
S(v) of numbers labelling the leafs of the subtree of v. To traverse the tree, 
the dynamic program uses functions lst and 2nd that map an inner node to its 
first or second child, respectively, and a function anc(v, j) that returns the j-th 
ancestor of v in the tree["| So, anc(v, 2) returns the parent of the parent of v. 

The functions lst, 2nd and anc are static, that is, they are initialized before- 
hand and not affected by change operations. 


T Formally, the 2|D| nodes of T can be represented by pairs (a,b) of elements. In our 
presentation, we disregard these technical issues and use nodes of T just as domain 
elements. 
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Algorithm 1 Querying a successor. 


1: on query succ(z): 
2: if max(T.root) < i then 
return L 
else 
k + getUnique(1 < k < log(n) | max(T.anc(i, k)) > i) 
A max(T.anc(i,k —1)) <i 


return min(T.2nd(T.anc(i, k))) 


Algorithm 2 Updating min after an insertion. 


1: on change INS(i) update min at T.anc(i, k), for all k < logn, by: 
2: v + T.anc(i, k) 


3: if min(v) > i then 
4: return i 

5: else 

6: 


return min(v) 


The idea of the dynamic program is to maintain, for each node v, the max- 
imal and minimal element in K N S(v) (which is undefined if K N S(v) = 9), 
by maintaining two functions min and max. It is easy to see that this informa- 
tion can be updated and queries be answered in O(logn) time as the tree has 
depth O(log n). For achieving O(log n) work and constant time, we need to have 
a Closer look. 


Using min and max, it is easy to determine the K-successor of an ele- 
ment 7 € D: if v is the lowest ancestor of i with max(v) > i, then the K-successor 
of i is min(w) for the second child w= 2nd(v) of v. Algorithm [1] shows a query 
rule for the query operation SUCC(2). The update of these functions is easy when 
an element 7 is inserted into K. This is spelled out for min in Algorithm [2] The 
dynamic program only needs to check if the new element becomes the minimal 
element in S(v), for every node v that is an ancestor of the leaf i. 


Algorithm [3]shows how min can be updated if an element 7 is deleted from K: 
if i is the minimal element of K in S(v), for some node v, then min(v) needs to 
be replaced by its A-successor, assuming it is in S(v). 


It is easy to verify the claimed work upper bounds for P. Querying a suc- 
cessor or predecessor via Algorithm [I]needs O(log n) work, since Line |6]requires 
O(logn) and all others require O(1) work. For maintaining the function min 
the programs in Algorithms [2] and [3] update the value of logn tuples, but the 
work per tuple is constant. In the case of a deletion, Line [3] requires O(log n) 
work but is executed only once. The remaining part consists of O(log n) parallel 
executions of statements, each with O(1) work. 


The handling of max and its work analysis is analogous. 
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Algorithm 3 Updating min after a deletion. 


1: on change DEL(i) 
2: with 
s + succ(i) 
update min at T.anc(i, k), for all k < logn, by: 
v + T.anc(i, k) 
if min(v) 47 then 
return min(v) 
else if max(v) = i then 
return L 
else 
return s 


=.= 


5 Regular Languages 


In this section, we show that the range problem can be maintained with o(n) work 
for all regular languages and with polylogarithmic work for star-free languages. 
For the former we show how to reduce the work of a known DynFO-program. 
For the latter we translate the idea of [9] for maintaining the range problem for 
star-free languages in O(log log n) sequential time into a dynamic program with 
O(1) parallel time. 


5.1 DynFO-programs with sublinear work for regular languages 


Theorem 5.1. Let L be a regular language. Then RANGEMEMBER(L) can be 
maintained in DynFO with work O(n‘) per query and change operation, for every 
e>0. 


The proof of this theorem makes use of the algebraic view of regular lan- 
guages. For readers not familiar with this view, the basic idea is as follows: for a 
fixed DFA A = (Q, X, ð, qo, F), we first associate with each string w a function 
fw on Q that is induced by the behaviour of A on w via fula) = &(q, w), 
where ĝ* is the extension of the transition function ô to strings. The set of all 
functions f: Q — Q with composition as binary operation is a monoid, that is, 
a structure with an associative binary operation o and a neutral element, the 
identity function. Thus, composing the effect of A on subsequent substrings of 
a string corresponds to multiplication of the monoid elements associated with 
these substrings. The syntactic monoid M(L) of a regular language L is basically 
the monoid associated with its minimal automaton. 

It is thus clear that, for the dynamic problem RANGEMEMBER(L) where L 
is regular, a dynamic program can be easily obtained from a dynamic program 
for the dynamic problem RANGEEVAL(M(L)), where RANGEEVAL(M), for finite 
monoids M, is defined as follows | 


8 We note that, unlike for words, each position always carries a monoid element. 
However, the empty string of the word case corresponds to the neutral element in 
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Problem: RANGEEVAL(M) 
Input: A sequence Mo ...Mn—ı of monoid elements m; € M 
Changes: SET,,,(i) for m € M: Replaces m; by m 
Queries: RANGE(l, r): Me o+- oMr 


For the proof of Theorem [5.1] we do not need any insights into monoid the- 
ory. However, when studying languages definable by first-order formulas in The- 
orem [5.3] below, we will make use of a known decomposition result. 

From the discussion above it is now clear that in order to prove Theorem [5.1] 
it suffices to prove the following result. 


Proposition 5.2. Let M be a finite monoid. For every e > 0, RANGEEVAL(M) 
can be maintained in DynFO with work O(n‘) per query and change operation. 


Proof sketch. In [II], it was (implicitly) shown that RANGEMEMBER(ZL) is in 
DynProp (that is, quantifier-free DynFO), for regular languages L. The idea was 
to maintain the effect of a DFA for L on w[£, r], for each interval (£, r) of positions. 
This approach can be easily used for RANGEEVAL(/) as well, but it requires a 
quadratic number of updates after a change operation, in the worst case. 

We adapt this approach and only store the effect of the DFA for O(n‘) 
intervals, by considering a hierarchy of intervals of bounded depth. 

The first level in the hierarchy of intervals is obtained by decomposing the 
input sequence into intervals of length t, for a carefully chosen t. We call these 
intervals base intervals of height 1 and their subintervals special intervals of 
height 1. The latter are special in the sense that they are exactly the intervals 
for which the dynamic program maintaines the product of monoid elements. In 
particular, each base interval of height 1 gives rise to O(t?) special intervals 
of height 1. The second level of the hierarchy is obtained by decomposing the 
sequence of base intervals of height 1 into sequences of length t. Each such 
sequence of length t is combined to one base interval of height 2; and each 
contiguous subsequence of such a sequence is combined to one special interval 
of height 2. Again, each base interval of height 2 gives rise to O(t?) special 
intervals of height 2. This process is continued recursively for the higher levels 
of the hierarchy, until only one base interval of height h remains. We refer to 
Figure [1] for an illustration of this construction. 

The splitting factor t is chosen in dependence of n and e such that the height 
of this hierarchy of special intervals only depends on € and is thus constant for 
all n. More precisely, we fix \ = 5 and t = nò, Therefore, h = log,(n) = i 

The idea for the dynamic program is to store the product of monoid elements 
for each special interval. The two crucial observations are then, that (1) the 
product of each (not necessary special) interval can be computed with the help 
of a constant number of special intervals, and (2) that each change operation 
affects at most t? special intervals per level of the hierarchy and thus at most 
ht? € O(n‘) special intervals in total. We refer to the full version for more details. 


the monoid case. In particular, the initial “empty” sequence consists of n copies of 
the neutral element. 
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Fig. 1. Illustration of special intervals, for t = 3. The special intervals of level 3 
are [0,9), [9, 18), [18, 27), [0,18) and [9,27) with base interval [0,27). The result of a 
query RANGE(2, 22) can be computed as Gece mi = (m[2,3) o m[3,9)) o m[9, 18) o 
(m[18, 21)om[21, 23)), illustrated above in blue. The affected base intervals for a change 
at position 23 are marked in red. E.g., the new product m’[18, 27) can be computed by 
m’[18, 27) = m[18, 21) om’[21, 24) o m[24, 27). As the products are recomputed bottom 
up, m’[21, 24) is already updated. 


5.2 DynFO-programs with polylogarithmic work for star-free 
languages 


Although the work bound of Theorem. I]for regular languages is strongly sublin- 
ear, one might aim for an even more work-efficient dynamic program, especially, 
since RANGEMEMBER(L) can be maintained sequentially with logarithmic up- 
date time for regular languages [9]. We leave it as an open problem whether for 
every regular language L there is a DynFO-program for RANGEMEMBER(L) with 
a polylogarithmic work bound. However, we show next that such programs exist 
for star-free regular languages, in fact they even have a logarithmic work bound. 
The star-free languages are those that can be expressed by regular expressions 
that do not use the Kleene star operator but can use complementation. 


Theorem 5.3. Let L be a star-free regular language. Then RANGEMEMBER(L) 
can be maintained in DynFO with work O(log n) per query and change operation. 


It is well-known that star-free regular languages are just the regular languages 
that can be defined in first-order logic (without arithmetic!) [I8]. Readers might 
ask why we consider dynamic first-order maintainability of a problem that can 
actually be expressed in first-order logic. The key point is the parallel work here: 
even though the membership problem for star-free languages can be solved by a 
parallel algorithm in time O(1), it inherently requires parallel work R(n). 


Proof sketch. The proof uses the well-known connection between star-free lan- 
guages and group-free monoids (see, e.g., Chapter V.3] and [25] Theorem 
V.3.2]). It thus follows the approach of [9]. 

In a nutshell, our dynamic program simply implements the algorithms of the 
proof of Theorem 2.4.2 in [9]. Those algorithms consist of a constantly bounded 
number of simple operations and a constantly bounded number of searches for 
a next neighbour in a set. Since the latter can be done in DynFO with work 
O(log n) thanks to Lemma we get the desired result for group-free monoids 
and then for star-free languages. We refer to the full version for more details. 
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6 Context Free Languages 


As we have seen in Section [5| range queries to regular languages can be main- 
tained in DynFO with strongly sublinear work. An immediate question is whether 
context-free languages are equally well-behaved. Already the initial paper by Pat- 
naik and Immerman showed that DynFO can maintain the membership problem 
for Dyck languages Dy, for k > 1, that is, the languages of well-balanced paren- 
theses expressions with k types of parentheses [20]. It was shown afterwards in 
[L Theorem 4.1] that DynFO actually captures the membership problem for all 
context-free languages and that Dyck languages even do not require quantifiers 
in formulas (but functions in the auxiliary structure) [II] Proposition 4.4]. These 
results can easily be seen to apply to range queries as well. However, the dynamic 
program of {II} Theorem 4.1] uses 4-ary relations and three nested existential 
quantifiers, yielding work in the order of n”. 

In the following, we show that the membership problem for context-free lan- 
guages is likely not solvable in DynFO with sublinear work, but that the Dyck 
language Dı with one bracket type can be handled with polylogarithmic work 
for the membership problem and work O(n‘) for the range problem, and that 
for other Dyck languages these bounds hold with an additional linear factor n. 


6.1 A conditional lower bound for context-free languages 


Our conditional lower bound for context-free languages is based on a result 
from Abboud et al. [2] and the simple observation that the word problem for a 
language L can be solved, given a dynamic program for its membership problem. 


Lemma 6.1. Let L be a language. If MEMBER(L) can be maintained in DynFO 
with work f(n), then the word problem for L can be decided sequentially in time 


O(n: f(n)). 
The announced lower bound is relative to the following conjecture [I]. 


Conjecture 6.2 (k-Clique conjecture). For any € > 0, and k > 3, k-Clique has no 
algorithm with time bound O(n“@-93*). 


Here, w is the matrix multiplication exponent [10/27], which is known to be 
smaller than 2.373 and believed to be exactly two [L027]. 

In [2], the word problem for context-free languages was linked to the k-Clique 
problem as follows. 


Theorem 6.3 ([2] Theorem 1.1]). There is a context free grammar G such 
that, if the word problem for L(G) can be solved in time T(n), k-Clique can be 
solved on n node graphs in O(T(n3**)) time, for any k > 3. 


Putting Lemma |6.1]and Theorem [6.3] together, we get the following result. 


Theorem 6.4. There is a context free grammar G such that, if the membership 
problem for L(G) can be solved by a DynFO-program with work O(n*—+~*), for 
some € > 0, then the k-Clique conjecture fails. 
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The simple proofs of Lemma and Theorem are presented in the full 
version. 

Thus, we can not reasonably expect any DynFO-programs for general context- 
free languages with considerable less work than O(n':3") barring any break- 
throughs for matrix multiplication. In fact, for “combinatorial DynFO-programs”, 
an analogous reasoning yields a work lower bound of O(n?~*). 


6.2 On work-efficient dynamic programs for Dyck languages 


We next turn to Dyck languages. Clearly, all Dyck languages are deterministic 
context-free, their word problem can therefore be solved in linear time, and 
thus the lower bound approach of the previous subsection does not work for 
them. We first present the DynFO-program with polylogarithmic work for the 
membership problem of D4. It basically mimics the sequential algorithm from 
that maintains D, sequentially in time O(log n), per change and query operation. 


Theorem 6.5. MEMBER(D,) can be maintained in DynFO with O((logn)?) 
work. 


Proof sketch. Let Xı = {(,)} be the alphabet underlying Dı. The dynamic 
program uses an ordered binary tree T such that each leaf corresponds to one 
position from left-to right. A parent node corresponds to the set of positions of 
its children. We assume for simplicity that the domain is [n], for some number n 
that is a power of 2. In a nutshell, the program maintains for each node x of T 
the numbers (x) and r(x) that represent the number of unmatched closing and 
unmatched opening brackets of the string str(a) corresponding to x via the leaves 
of the induced subtree at x. E.g., if that string is )())(() for x, then (x) = 2 and 
r(x) = 1. The overall string w is in Dı exactly if r(root) = (root) = 0. 

In the algorithm of [8], the functions £ and r are updated in a bottom-up fash- 
ion. However, we will observe that they do not need to be updated sequentially 
in that fashion, but can be updated in parallel constant time. In the following, 
we describe how P can update (x) and r(x) for all ancestor nodes x of a posi- 
tion p, after a closing parenthesis ) was inserted at p. Maintaining @ and r for 
the other change operations is analogous. 

There are two types of effects that an insertion of a closing parenthesis could 
have on zx: either (a) is increased by one and r(x) remains unchanged, or r(x) 
is decreased by one and (x) remains unchanged. We denote these effects by the 
pairs (+1,0) and (0, —1), respectively. 

Table [1| shows how the effect of a change at a position p below a node x 
with children yı and yp relates to the effect at the affected child. This depends 
on whether r(yi) < (y2) and whether the affected child is yı or y2. A closer 
inspection of Table [1] reveals a crucial observation: in the upper left and the 
lower right field of the table, the effect on x is independent of the effect on the 
child (being it yı or y2). That is, these cases induce an effect on x independent of 
the children. We thus call these cases effect-inducing. In the other two fields, the 
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: p is = sw pis n -— 2) | 
+1,0) > 1,0) 1,0) 1,0 
r(yı) < eye) (0, —1) = (+1,0) | (0, —1) > (0, —1) 

(+1,0) > (+1,0) | (+1,0) > (0,—1) 
ru) > 2) g 21) > (0, 1) (0,1) > (0—1) 


Table 1. The effect on x after a closing parenthesis was inserted at position p. The 
effects depend on the effect on the children yı and y2 of x: for example, an entry 
(0, —1) — (+1,0) in the column ’p is in str(y1)’ means that if the change operation 
has effect (0,—1) on yı then the change operation has effect (+1,0) on x. 


effect on x depends on the effect at the child, but in the simplest possible way: 
they are just the same. That is the effect at the child is just adopted by x. We 
call these cases effect-preserving. To determine the effect at x it is thus sufficient 
to identify the highest affected descendant node z of x, where an effect-inducing 
case applies, such that for all intermediate nodes between x and z only effect- 
preserving cases apply. 

Our dynamic program implements this idea. First it determines, for each 
ancestor x of the change position p, whether it is effect-inducing and which 
effect is induced. Then it identifies, for each x, the node z (represented by its 
height i above p) as the unique effect-inducing node that has no effect-inducing 
node on its path to x. The node z can be identified with work O((logn)?), as 
z is one of at most logn many nodes on the path from zx to the leaf of p, and 
one needs to check that all nodes between x and z are effect-preserving. As the 
auxiliary relations need to be updated for logn many nodes, the overall work of 
P is O((logn)*). We refer to the full version for more details. 


A work-efficient dynamic program for range queries for Dı and Dk 
Unfortunately, the program of Theorem does not support range queries, 
since it seems that one would need to combine the unmatched parentheses of 
logn many nodes of the binary tree in the worst case. However, its idea can be 
combined with the idea of Proposition yielding a program that maintains £ 
and r for O(n‘) special intervals on a constant number of levels. 

In fact, this approach even works for D; for k > 1. Indeed, with the help 
of £ and r, it is possible to identify for each position of an opening parenthesis 
the position of the corresponding closing parenthesis in O(1) parallel time with 
work n‘, and then one only needs to check that they match everywhere. The 
latter contributes an extra factor O(n) to the work, for k > 1, but can be 
skipped for k = 1. 


Theorem 6.6. For alle > 0, k > 1, 


a) RANGEMEMBER(D}) can be maintained in DynFO with O(n*) work, and 
b) RANGEMEMBER(D;,) can be maintained in DynFO with O(n‘) work per 
change operation and O(n'**) work per query operation. 
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Proof sketch. In the following we reuse the definition of special intervals from 
the proof of Proposition [5.2]as well as the definition of and r from the proof of 
Proposition [6.5] We first describe a dynamic program for RANGEMEMBER(D)}). 
It maintains £ and r for all special intervals, which is clearly doable with O(n‘) 
work per change operation. Similar to the proof of Proposition the two 
crucial observations (justified in the full version) are that (1) a range query can 
be answered with the help of a constant number of special intervals, and (2) the 
change operation affects only a bounded number of special intervals per level. 
As stated before, the program for RANGEMEMBER(D;,) also maintains £ 
and r, but it should be emphasised that also in the case of several parenthe- 
sis types, the definition of these functions ignores the bracket type. With that 
information it computes, for each opening bracket the position of its matching 
closing bracket, with the help of £ and r, and checks that they match. This can 
be done in parallel and with work O(n‘) per position. We refer to the full version 
for more details. 


Moderately work-efficient dynamic programs for Dp We now turn to the 
membership query for D; with k > 1. Again, our program basically mimics the 
sequential algorithm from [8] which heavily depends on the dynamic problem 
STRINGEQUALITY that asks whether two given strings are equal. 


Problem: STRINGEQUALITY 
Input: Two Sequences u = ug...Un—, and v = Up...Un— 1 Of letters 
with w; v; E XU {e} 
Changes: SET o (i) for o € X, x € {u,v}: Sets x; to o, if £; = € 
RESET, (2) for x € {u,v}: Sets x; to € 
Queries: EQUALS: Is 9 0...0 Un—1 = Vo ©... O Un—1? 


It is easy to show that a linear amount of work is sufficient to maintain 
STRINGEQUALITY. 


Lemma 6.7. STRINGEQUALITY is in DynFO with work O(n). 


Because of the linear work bound for STRINGEQUALITY our dynamic program 
for MEMBER(D,;) also has a linear factor in the work bound. 


Theorem 6.8. MEMBER(D;) is maintainable in DynFO with work O(nlogn + 
(log n)3) for every fired k € N. 


Proof sketch. The program can be seen as an extension of the program for 
MEMBER( D1). As unmatched parentheses are no longer well-defined if we have 
more than one type of parenthesis the idea of [8] is to maintain the parentheses 
to the left and right that remain if we reduce the string by matching opening and 
closing parentheses regardless of their type. To be able to answer MEMBER(D,), 
the dynamic program maintains the unmatched parentheses for every node x of 
a tree spanning the input word, and a bit M(x) that indicates whether the types 
of the parentheses match properly. 
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How the unmatched parentheses can be maintained for a node x after a 
change operation depends on the “segment” of str(a) in which the change hap- 
pened and in some cases reduces to finding a node z with a local property on 
the path from x to the leaf that corresponds to the changed position. 

To update M(x) for a node x with children yı and y2 the dynamic program 
compares the unmatched parentheses to the right of yı with the ones to the left 
of y2 using STRINGEQUALITY. We refer to the full version for more details. 


Maintaining string equality and membership in D;, for k > 1 is even closer 
related which is stated in the following lemma. 


Lemma 6.9. a) If STRINGEQUALITY can be maintained in DynFO with work 
W(n) then MEMBER(D;) can be maintained in DynFO with work O(W (n) - 
logn + (logn)?), for each k > 1. 

b) If MEMBER(D;,) can be maintained in DynFO with work W (n) for all k, then 
STRINGEQUALITY can be maintained in DynFO with work O(W(n)). 


7 Conclusion 


In this paper we proposed a framework for studying the aspect of work for 
the dynamic, parallel complexity class DynFO. We established that all regular 
languages can be maintained in DynFO with O(n‘) work for all e > 0, and even 
with O(logn) work for star-free regular languages. For context-free languages 
we argued that it will be hard to achieve work bounds lower than O(n®~!~©) in 
general, where w is the matrix multiplication exponent. For the special case of 
Dyck languages Dx we showed that O(n - (logn)*) work suffices, which can be 
further reduced to O(log? n) work for Dı. For range queries, dynamic programs 
with work O(n'**) and O(n‘) exist, respectively. 

We highlight some research directions. One direction is to improve the upper 
bounds on work obtained here. For instance, it would be interesting to know 
whether all regular languages can be maintained with polylog or even O(log n) 
work and how close the lower bounds for context-free languages can be matched. 
Finding important subclasses of context-free languages for which polylogarithmic 
work suffices is another interesting question. Apart from string problems, many 
DynFO results concern problems on dynamic graphs, especially the reachability 
query [5]. How large is the work of the proposed dynamic programs, and are 
more work-efficient dynamic programs possible? 

The latter question also leads to another research direction: to establish fur- 
ther lower bounds. The lower bounds obtained here are relative to strong con- 
jectures. Absolute lower bounds are an interesting goal which seems in closer 
reach than lower bounds for DynFO without bounds on the work. 
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Abstract. We extend the L* algorithm to learn bimonoids recognising 
pomset languages. We then identify a class of pomset automata that 
accepts precisely the class of pomset languages recognised by bimonoids 
and show how to convert between bimonoids and automata. 


1 Introduction 


Automata learning algorithms are useful in automated inference of models, which 
is needed for verification of hardware and software systems. In active learning, 
the algorithm interacts with a system through tests and observations to produce 
a model of the system’s behaviour. One of the first active learning algorithms 
proposed was L*, due to Dana Angluin [2], which infers a minimal deterministic 
automaton for a target regular language. L* has been used in a range of verifica- 
tion tasks, including learning error traces in a program [5]. For more advanced 
verification tasks, richer automata types are needed and L* has been extended 
to e.g. input-output [1], register [20], and weighted automata [16]. None of the 
existing extensions can be used in analysis of concurrent programs. 

Partially ordered multisets (pomsets) [13,12] are basic structures used in 
the modeling and semantics of concurrent programs. Pomsets generalise words, 
allowing to capture both the sequential and the parallel structure of a trace in a 
concurrent program. Automata accepting pomset languages are therefore useful 
to study the operational semantics of concurrent programs—see, for instance, 
work on concurrent Kleene algebra [17,26,21,24]. 

In this paper, we propose an active learning algorithm for a class of pomset 
automata. The approach is algebraic: we consider languages of pomsets recog- 
nised by bimonoids [28] (which we shall refer to as pomset recognisers). This can 
be thought of as a generalisation of the classical approach to language theory of 
using monoids as word acceptors: bimonoids have an extra operation that mod- 
els parallel composition in addition to sequential. The two operations give rise 
to a complex branching structure that makes the learning process non-trivial. 
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The key observation is that pomset recognisers are tree automata whose alge- 
braic structure satisfies additional equations. We extend tree automata learning 
algorithms [7,8,31] to pomset recognisers. The main challenge is to ensure that 
intermediate hypotheses in the algorithm are valid pomset recognisers, which is 
essential in practical scenarios where the learning process might not run to the 
very end, returning an approximation of the system under learning. This requires 
equations of bimonoids to be correctly propagated and preserved in the core data 
structure of the algorithm—the observation table. The proof of termination, in 
analogy to L*, relies on the existence of a canonical pomset recogniser of a lan- 
guage, which is based on its syntactic bimonoid. The steps of the algorithm 
provide hypotheses that get closer in size to the canonical recogniser. 

Finally, we bridge the learning algorithm to pomset automata [21,22] by 
providing two constructions that enable us to seamlessly move between pomset 
recognisers and pomset automata. Note that although bimonoids provide a useful 
formalism to denote pomset languages, which is amenable to the design of the 
learning algorithm, they enforce a redundancy that is not present in pomset 
automata: whereas a pomset automaton processes a pomset from left to right in 
sequence, one letter per branch at a time, a bimonoid needs to be able to take 
the pomset represented as a binary tree in any way and process it bottom-up. 
This requirement of different decompositions leading to the same result makes 
bimonoids in general much larger than pomset automata and hence the latter 
are, in general, a more efficient representation of a pomset language. 

The rest of the paper is organised as follows. We conclude this introductory 
section with a review of relevant related work. Section 2 contains the basic defi- 
nitions on pomsets and pomset recognisers. The learning algorithm for pomset 
recognisers appears in Section 3, including proofs to ensure termination and in- 
variant preservation. Section 4 presents constructions to translate between (a 
class of) pomset automata and pomset recognisers. We conclude with discussion 
of further work in Section 5. Omitted proofs appear in the extended version [15]. 


Related Work. There is a rich literature on adaptations and extensions of L* 
from deterministic automata to various kinds of models, see, e.g., [34,18] for an 
overview. To the best of our knowledge, this paper is the first to provide an 
active learning algorithm for pomset languages recognised by finite bimonoids. 
Our algorithm learns an algebraic recogniser. Urbat and Schréder [33] pro- 
vide a very general learning approach for languages recognised by algebras for 
monads [4,32], based on a reduction to categorical automata, for which they 
present an L*‘-type algorithm. Their reduction gives rise to an infinite alphabet 
in general, so tailored work is needed for deriving algorithms and finite represen- 
tations. This can be done for instance for monoids, recognising regular languages, 
but it is not clear how this could extend to pomset recognisers. We present a 
direct learning algorithm for bimonoids, which does not rely on any encoding. 
Our concrete learning algorithm for bimonoids is closely related to learn- 
ing approaches for bottom-up tree automata [7,8,31]: pomset languages can be 
viewed as tree languages satisfying certain equations. Incorporating these equa- 
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tions turned out to be a non-trivial task, which requires additional checks on the 
observation table during execution of the algorithm. 

Conversion between recognisers and automata for a pomset language was first 
explored by Lodaya and Weil [28,27]. Their results relate the expressive power of 
these formalisms to sr-expressions. As a result, converting between recognisers 
and automata using their construction uses an sr-expression as an intermediate 
representation, increasing the resulting state space. Our construction, however, 
converts recognisers directly to pomset automata, which keeps the state space 
relatively small. Moreover, Lodaya and Weil work focus on pomset languages 
of bounded width, i.e., with an upper bound on the number of parallel events. 
In contrast, our conversions work for all recognisable pomset languages (and a 
suitable class of pomset automata), including those of unbounded width. 

Esik and Németh [9] considered automata and recognisers for biposets, i.e., 
sp-pomsets without commutativity of parallel composition. They equate lan- 
guages recognised by bisemigroups (bimonoids without commutativity or units) 
with those accepted by parenthesizing automata. Our equivalence is similar in 
structure, but relates a subclass of pomset automata to bimonoids instead. The 
results in this paper can easily be adapted to learn representations of biposet 
languages using bisemigroups, and convert those to parenthesizing automata. 


2 Pomset Recognisers 


Throughout this paper we fix a finite alphabet X and assume O ¢ X. When 
defining sets parameterised by a set X, say S(X), we may use S to refer to S(X). 

We recall pomsets [12,13], a generalisation of words that model concurrent 
traces. A labelled poset over X is a tuple u = (Su, <u, Au), where Sy is a finite set 
(the carrier of u), <u is a partial order on Su (the order of u), and Au: Su > X 
is a function (the labelling of u). Pomsets are labelled posets up to isomorphism. 


Definition 1 (Pomsets). Let u,v be labelled posets over X. An embedding 
of u in v is an injection h : Sy > Sy such that Ay o h = Ay and s <u 8’ if and 
only if h(s) <y h(s’). An isomorphism is a bijective embedding whose inverse is 
also an embedding. We say u is isomorphic to v, denoted u = v, if there exists 
an isomorphism between u and v. A pomset over X is an isomorphism class of 
labelled posets over X, i.e., [|v] = {u : u =v}. When u = [u] and v = [|v] are 
pomsets, u is a subpomset of v when there exists an embedding of u in v. 


When two pomsets are in scope, we tacitly assume that they are represented 
by labelled posets with disjoint carriers. We write 1 for the empty pomset. When 
a € X, we write a for the pomset represented by the labelled poset whose sole 
element is labelled by a. Pomsets can be composed in sequence and in parallel: 


Definition 2 (Pomset composition). Let u = |u] and v = [v] be pomsets 
over X. We write u || v for the parallel composition of u and v, which is the 
pomset over X represented by the labelled poset 


u || v = (Su U Sy, Su U Sy, Au U Av) 
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Similarly, we write u-v for the sequential composition of u and v, that is, the 
pomset represented by the labelled poset 


tev = (SU Svs Su USU Sa x Sy, AuU Av) 
We may elide the dot for sequential composition, for instance writing ab for a-b. 
The pomsets we use can be built using sequential and parallel composition. 


Definition 3 (Series-parallel pomsets). The set of series-parallel pomsets 
(sp-pomsets) over X, denoted SP(X), is the smallest set such that 1 € SP(X) 
anda € SP(X) for everya € X, closed under parallel and sequential composition. 


Concurrent systems admit executions of operations that are not only ordered 
in sequence but also allow parallel branches. An algebraic structure consisting 
of both a sequential and a parallel composition operation, with a shared unit, is 
called a bimonoid. Formally, its definition is as follows. 


Definition 4 (Bimonoid). A bimonoid is a tuple (M,©, 0,1) where 


— M is a set called the carrier of the bimonoid, 

— © is a binary associative operation on M, 

— © is a binary associative and commutative operation on M, and 
— 1€ M is a unit for both © (on both sides) and ©. 


Bimonoid homomorphisms are defined in the usual way. 


Given a set X, the free bimonoid [12] over X is (SP(X),-,|],1). The fact 
that it is free means that for every function f: X — M for a given bimonoid 
(M, ©, O, Lm) there exists a unique bimonoid homomorphism f*: SP(X) + M 
such that the restriction of f* to X is f. 

Just as monoids can recognise words, bimonoids can recognise pomsets [28]. 
A bimonoid together with the witnesses of recognition is a pomset recogniser. 


Definition 5 (Pomset recogniser). A pomset recogniser is a tuple R = 
(M,©,0,1,%,F) where (M,©,0,1) is a bimonoid, i: X + M, and F C M. 
The language recognised by R is given by Lr = {u € SP: i#(u) € F} CSP. 


Example 6. Suppose a program consists of a loop, where each iteration runs 
actions a and b in parallel. We can describe the behaviour of this program by 


£= {a || b} = {1,a || b, (a || b) (a I| d),...} 


We can describe this language using a pomset recogniser, as follows. Let 
M = {da,%,%,; 41,1}, and let © and © be the operations on M given by 


q g=1 q q =1 
tf 7 
q q=1 , q q=1 
qOd = qOq = 
qi @=CT=KH a {4d} = {da %} 


qı otherwise qı otherwise 
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A straightforward proof verifies that (M, ©, @, 1) is a bimonoid. 
We set i(a) = qa, i(b) = œ, and F = {1,q,}. Now, for n > 0: 

i((a || b)---(al] b)) = (aa) | i) © -+ © (a) || ib) =u ©: -Oq =a 
ee 1—— m MM 


XN 
n times n times n times 


No other pomsets are mapped to qi; hence, (M,©,0,1,1, F) accepts £. 


Example 7. Suppose a program solves a problem recursively, such that the re- 
cursive calls are performed in parallel. In that case, the program would either 
perform the base action b, or some preprocessing action a followed by running 
two copies of itself in parallel. This behaviour can be described by the smallest 
pomset language £ satisfying the following inference rules: 


wv EL 
bel a-(ullv)ELl 


This language can be described by a pomset recogniser. Let our carrier set 
be M = {qa,%; 41,91; 1}, and let © and © be the operations on M given by 


q q=l1 q qg=l1 

/ / 

q q=1 q=1 
qOdď = qOd' = i 

w @=@F =H q d=T=% 

qı otherwise qı otherwise 


(M,©,©,1) is a bimonoid, F = {q}, andi: X > M is given by setting i(a) = qa 
and i(b) = q». One can then show that (M,©,0,1,7, F} accepts £. 


Pomset contexts are used to describe the behaviour of individual elements in 
a pomset recogniser. Formally, the set of pomset contexts over a set X is given 
by PC(X) = SP(X U {0}). Here the element O acts as a placeholder, where 
a pomset can be plugged in: given a context c € PC(X) and t € SP(X), let 
c|t] € SP(X) be obtained by substituting t for O in c. 


3 Learning Pomset Recognisers 


In this section we present our algorithm to learn pomset recognisers from an 
oracle (the teacher) that answers membership and equivalence queries. A mem- 
bership query consists of a pomset, to which the teacher replies whether that 
pomset is in the language; an equivalence query consists of a hypothesis pom- 
set recogniser, to which the teacher replies yes if it is correct or no with a 
counterexample—a pomset incorrectly classified by the hypothesis—if it is not. 
A pomset recogniser is essentially a tree automaton, with the additional con- 
straint that its algebraic structure satisfies the bimonoid axioms. Our algorithm 
is therefore relatively close to tree automata learning—in particular Drewes and 
Högberg [7,8]—but there are several key differences: we optimise the algorithm 
by taking advantage of the bimonoid axioms, and at the same time need to ensure 
that the hypotheses generated by the learning process satisfy those axioms. 
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3.1 Observation Table 


We fix a target language £ C SP throughout this section. As in the original L* 
algorithm, the state of the learner throughout a run of the algorithm is given by 
a data structure called the observation table, which collects information about £. 
The table contains rows indexed by pomsets, representing the state reached by 
the correct pomset recogniser after reading that pomset; and columns indexed 
by pomset contexts, used to approximately indentify the behaviour of each state. 
To represent the additional rows needed to approximate the pomset recogniser 
structure, we use the following definition. Given U C SP, we define 


Ut = DU{u-v:u,y€U}U{ul] v: u,v € U} C SP. 


Definition 8 (Observation table). An observation table is a pair (S, E}, with 
S C SP subpomset-closed and E C PC such that 1 € S and O € E. These sets 
induce the function rowçs p): SU ST — 2”: rows m (s)(e)=1 4> e[s] € £. 
We often write row instead of row;s,p) when S and E are clear from the context. 


We depict observation tables, or more precisely row, as two separate tables 
with rows in S and St \ 9 respectively, see for instance Example 9 below. 

The goal of the learner is to extract a hypothesis pomset recogniser from the 
rows in the table. More specifically, the carrier of the underlying bimonoid of the 
hypothesis will be given by the rows indexed by pomsets in S. The structure on 
the rows is obtained by transferring the structure of the row labels onto the rows 
(e.g., row(s) © row(t) = row(s- t)), but this is not well-defined unless the table 
satisfies closedness, consistency, and associativity. Closedness and consistency 
are standard in L*, whereas associativity is a new property specific to bimonoid 
learning. We discuss each of these properties next, also including compatibility, 
a property that is used to show minimality of hypotheses. 

The first potential issue is a closedness defect: this is the case when a com- 
posed row, indexed by an element of S*, is not indexed by a pomset in S. 


Example 9 (Table not closed). Recall £ = {a || b}* from Example 6, and suppose 


S = {1,a,b} and E = {0,a || 0,0 || b}. The induced table is 
E 
a || |b 
Ł a 0o 0 0 
|O all || b ab 0 0 0 
1 1 0 0 ba 0 0 0 
S a 0 0 1 STAS bb 0o 0 0 
b 0 1 0 alao o o0 
al|/b|1 0 0 
piib|0 o o 


The carrier of the hypothesis bimonoid is M = {row(1), row(a), row(b)}, but the com- 
position row(a) © row(a) cannot be defined since row(aa) ¢ M. 


The absence of the issue described above is captured with closedness. 


516 G. van Heerdt et al. 


Definition 10 (Closed table). An observation table (S, E) is closed if for all 
t € S* there exists s E€ S such that row(s) = row(t). 


Another issue that may occur is that the same row being represented by 
different index pomsets leads to an inconsistent definition of the structure. The 
absence of this issue is referred to as consistency. 


Definition 11 (Consistent table). An observation table (S, E) is consistent 
if for all 81,52 E€ S such that row(s1) = row(s2) we have for allt € S that 


row(s1-t) = row(s2 - t) row(t - s1) = row(t - s2) row(sı || t) = row(sə || t). 


Whenever closedness and consistency hold, one can define sequential and par- 
allel composition operations on the rows of the table. However, these operations 
are not guaranteed to be associative, as we show with the following example. 


Example 12 (Table not associative). Consider L = {au : u € {b}"} over X = 
{a,b}, and suppose S = {1,a,b} and E = {0, Oa}. The induced table is: 


a 


a 1 0 bb 
b 0 0 alla 
a || b 
blbļo 0 


oO Oo Oo HS 
eo oo oo © 


This table does not lead to an associative sequential operation on rows: 
(row(a) © row(b)) © row(a) = row(ab) © row(a) = row(a) © row(a) = row(aa) 

# row(ab) = row(a) © row(b) = row(a) © row(ba) = row(a) © (row(b) © row(a)). 
To prevent this issue we enforce the following additional property: 


Definition 13 (Associative table). Letv € {-,||}. An observation table 
(S, E) is v-associative if for all 81, 82, $3, 51,5 E S with row(s;) = row(s1 © s2) 
and row(s,) = row(s2 ° s3) we have row(s; © s3) = row(s1 9 sr). An observation 
table is associative if it is both --associative and ||-associative. 


The table from Example 12 is not --associative: we have row(a) = row(ab) 
and row(b) = row(ba) but row(aa) 4 row(ab). 

Putting the above definitions of closedness, consistency and associativity of 
tables together, we have the following result for constructing a hypothesis. 


Lemma 14 (Hypothesis). A closed, consistent and associative table (S, E) 
induces a hypothesis pomset recogniser H = (H, Oy, Oy, Lg, ig, Fg) where 


H = {row(s): 5 € S} row(s1) Op row(s2) = row(s1 - s2) 


row(s1) Oy row(s2) = row(sı || s2) ly = row(1) igla) = row(a) 


Fy = {row(s) : s € S, row(s)(0O) = 1}. 
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Proof. The operations ©y and Oy are well-defined by closedness and consis- 
tency, and 1y is well-defined because 1 € S by the observation table definition. 
Commutativity of Oy follows from commutativity of ||, and similarly that 1x 
is a unit for both operations follows from 1 being a unit. Associativity follows 
by associativity of the table (it does not follow from - and || being associative: 
given elements s1, 82,83 E€ S, 81° 82-83 is not necessarily present in SU S+). 


Since a hypothesis is constructed from an observation table (S, E} that 
records for given s € S and e € E whether e[s] is accepted by the language 
or not, one would expect that the hypothesis classifies those pomsets 


Ts g = {e[s] : s € S,e € E} 
correctly. This is not necessarily the case, as we show in the following example. 


Example 15. Consider the language £ from Example 7, and let S = {1,b} and 
E = {0 a(O || b)}. The induced table is 


a b 

ar ates [0 sl) 

1 A r bb 0 0 
blbo o0 


From this closed, consistent, and associative table we obtain a hypothesis pomset 
recogniser that satisfies 


(row(a) © (row(b) © row(b))) (0O) = (row(a) © row(b || b))() 
(row(a) © row(1))(0O) = row(a)(O) = 0 #1 


and thus recognises a language that differs from £ on a- (b || b) € Tis, £y- 
We thus have the following definition, parametric in a subset of Tig p). 


Definition 16 (Compatible hypothesis). A closed, consistent, and associa- 
tive observation table (S, E) induces a hypothesis H that is X-compatible with 
its table, for X C SP, if forx € X we have x E Ly = xE L. We say that the 
hypothesis is compatible with its table if it is Tis g -compatible with its table. 


Ensuring hypotheses are compatible with their table will not be a crucial step 
in proving termination, but plays a key role in ensuring minimality (Section 3.4). 
This was originally shown by van Heerdt [14] for Mealy machines. 


3.2 The Learning Algorithm 
We are now ready to introduce our learning algorithm, Algorithm 1. The main 


algorithm initialises the table to ({1}, {O}) and starts by augmenting the table 
to make sure it is closed and associative. We give an example below. 
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12 
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14 
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19 
20 
21 
22 
23 
24 
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$= php ={o} 
repeat 
repeat 
while (S, E) is not closed or not associative 
if (S, E) is not closed 
find t € St such that row(t) 4 row(s) for all s € S 
S=Su{t} 
for v € {I} 
if (S, E) is not v-associative 
find s1, 52, S3, S1, Sr E S and e € E such that 
row(s7) = row(s1 ° s2), 
row(sr) = row(s2 ° s3), and 
row(s7 9 83)(e) Æ row(sy © sr )(e) 
let b be the result of a membership query on s1 Y S2 % 83 
if row(s; 9 s3)(e) Æ b 
E = E U {e[O v s3]} 
else 
E = E U {e[s; v O]} 
construct the hypothesis H for (S, E) 
if H is not compatible with its table 
find s € S and e € E such that efs] E Lu 4> els] g £ 
E = EU {HANDLECOUNTEREXAMPLE(S, E, e[s], 0O)} 
until H is compatible with its table 
if the teacher replies no to H, with a counterexample z 
E = EU {HANDLECOUNTEREXAMPLE(S, E, z,0O)} 
until the teacher replies yes 


return H 


HANDLECOUNTEREXAMPLE(S, E, z,c) 


if z € SUST 
let s € S be such that row(s) = row(z) 
if cls] € £ 4> clz] EL 
return s 
else 
return c 
let non-empty wi, u2 € SP and v € {-, ||} be such that wi v u2 = z 
u, = HANDLECOUNTEREXAMPLE(S, E, u1, c[O v u2]) 


if U1 g S 
return u 
u2 = HANDLECOUNTEREXAMPLE(S, E, u2, c[u1 9 O]) 
if U2 g S 
return u2 
return HANDLECOUNTEREXAMPLE(S, E, ui % u2, c) 


Algorithm 1: The pomset recogniser learning algorithm. 
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Example 17 (Fixing closedness and associativity). Consider the table from Ex- 
ample 9, where row(aa) ¢ {row(1), row(a), row(b)} witnesses a closedness defect. 
To fix this, the algorithm would add aa to the set S, which means row(aa) will 
become part of the carrier of the hypothesis. 

Now consider the table from Example 12. Here we found an associativity 
defect witnessed by row(a) = row(ab) and row(b) = row(ba) but row(aa) # 
row(ab). More specifically, row(aa)(O) 4 row(ab)(X1). Thus, sı = s3 = sı = a, 
S2 = Sr = b, sı = a, and e = O. A membership query on aba shows aba ¢ £, 
so b = 0. We have row(aa)(O) = 0, and therefore the algorithm would add the 
context O[a-O] = a- O to E. 


Note that the algorithm does not explicitly check for consistency; this is be- 
cause we actually ensure a stronger property—sharpness [3]—as an invariant 
(Lemma 25). This property ensures every row indexed by a pomset in S is in- 
dexed by exactly one pomset in S (implying consistency): 


Definition 18 (Sharp table). An observation table (S, E) is sharp if for all 
81,52 E€ S such that row(s1) = row(s2) we have sı = s2. 


The idea of maintaining sharpness is due to Maler and Pnueli [29]. 

Once the table is closed and associative, we construct the hypothesis and 
check if it is compatible with its table. If this is not the case, a witness for in- 
compatibility is a counterexample by definition, so HANDLECOUNTEREXAMPLE 
is invoked to extract an extension of E, and we return to checking closedness 
and associativity. Once we obtain a hypothesis that is compatible with its table, 
we submit it to the teacher to check for equivalence with the target language. 
If the teacher provides a counterexample, we again process this and return to 
checking closedness and associativity. Once we have a compatible hypothesis for 
which there is no counterexample, we return this correct pomset recogniser. 

The procedure HANDLECOUNTEREXAMPLE, adapted from [7,8], is provided 
with an observation table (S, E) a pomset z, and a context c and finds a sin- 
gle context to add to Æ. The main invariant is that c[z] is a counterexample. 
Recursive calls replace subpomsets from S+ with elements of S in this counterex- 
ample while maintaining the invariant. There are two types of return values: if 
c is a suitable context, c is returned; otherwise the return value is an element 
of S that is to replace z. The context c is suitable if z € S+ and adding c to 
E would distinguish row(s) from row(z), where s € S is such that currently 
row(s) = row(z). Because S is non-empty and subpomset-closed, if z ¢ S U S+ 
it can be decomposed into z = u1 ° ug for non-empty u1, u2 E€ SP and v € {-,||}. 
We then recurse into u; and uz to replace them with elements of S and replace 
z with u1 %uz E€ S* ina final recursive call. If c = O, the return value cannot be 
in S, as we will show in Lemma 25 that these elements are not counterexamples. 


Example 19 (Processing a countererample). Consider £L = {a,aa,a || a}, and 
let S = {1,a} and E£ = {0}. This induces a closed, sharp, and associative table 


1 0 aa 1 
a 1 alia | 1 
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Suppose an equivalence query on its pomset recogniser, which rejects only the 
empty pomset, gives counterexample z = a || a || aa. We may decompose z 
as (O || aa)[a || a], where a || a € S* \ S. Because row(a || a) = row(a), 
(0 || aa)[a] = a || aa, anda || aac £ = > z € £, we update z = a || aa and 
repeat the process. Now we decompose z = (a || O)[aa]. Since row(aa) = row(a), 
(a || O)[a] = a || a, and a | a E€ £ = > z ¢ CL, we finish by adding a || O to Æ. 


3.3 Termination and Query Complexity 


Our termination argument is based on a comparison of the current observation 
table with the infinite table (SP, PC}. We first show that the latter induces a hy- 
pothesis, called the canonical pomset recogniser for the language. Its underlying 
bimonoid is isomorphic to the syntactic bimonoid [28] for the language. 


Lemma 20. (SP,PC) is a closed, consistent, and associative observation table. 


Definition 21 (Canonical pomset recogniser). The canonical pomset re- 
cogniser for L is the the hypothesis for the observation table (SP, PC). We denote 
this hypothesis by (Mc,@c¢,Oc,1¢,%¢, Fe). 


The comparison of the current table with (SP, PC) is in terms of the number 
of distinct rows they hold. In the following lemma we show that the number of 
the former is bounded by the number of the latter. 


Lemma 22. If Mz is finite, any observation table (S, E) satisfies 
\{row(s): s € S}| < |Me|. 


Proof. Note that Me = {rowsp,pc)(s) : s E€ S}. Given 51,82 € S such that 


rows, p) (s1) Æ rowys, p) (s2) we have row;sp pc) (s1) Æ rowsp,pc) ($2). This implies 
|{row(s) : s € S} <|Mz|. 


An important fact will be that none of the pomsets in S can form a coun- 
terexample for the hypothesis of a table (S, Æ}. In order to show this we will first 
show that the hypothesis is always reachable, a concept we define for arbitrary 
pomset recognisers below. 


Definition 23 (Reachability). A pomset recogniser R = (M,©,0,1,i,F) is 
reachable if for allm € M there exists u € SP such that i#(u) = m. 


Our reachability lemma relies on the fact that S is subpomset-closed. 


Lemma 24 (Hypothesis reachability). Given a closed, consistent, and as- 
sociative observation table (S, E), the hypothesis it induces is reachable. In par- 
ticular, ig? (s) = row(s) for any s € S. 


From the above it follows that we always have compatibility with respect to 
the set of row indices, as we show next. 
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Lemma 25. The hypothesis of any closed, consistent, and associative observa- 
tion table (S, E) is S-compatible. 


Before turning to our termination proof, we show that some simple properties 
hold throughout a run of the algorithm. 


Lemma 26 (Invariant). Throughout execution of Algorithm 1, we have that 
(S, E) is a sharp observation table. 


Proof. Subpomset-closedness holds throughout each run since {1} is subpomset- 
closed and adding a single element of S* to S$ preserves the property. 

For sharpness, first note that the initial table is sharp as it only has one row. 
Sharpness of (S, E} can only be violated when adding elements to S. But the 
only place where this happens is on line 7, and there the new row is unequal to 
all previous rows, which means sharpness is preserved. 


The preceding results allow us to prove our termination theorem. 
Theorem 27 (Termination). If Mz is finite, then Algorithm 1 terminates. 


Proof. First, we observe that fixing a closedness defect by adding a row (line 7) 
can only happen finitely many times, since, by Lemma 22, the size of {row(s) : 
s € S} is bounded by Me. 

This means that it suffices to show the following two points: 


1. Each iteration of any of the loops starting on lines 2—4 either fixes a closed- 
ness defect by adding a row, or adapts E so that (S, E) ends up not being 
closed at the end of loop body. In the second case, a closedness defect will 
be fixed in the following iteration of the inner while loop. 

2. The calls to HANDLECOUNTEREXAMPLE terminate. 


Combined, these show that the algorithm terminates. For the first point, we 
treat each of the cases: 


— If the table is not closed, we directly find a new row that is taken from the 
S*-part of the table and added to the S-part of the table. 

— Consider the failure of »-associativity, for v € {-, ||}, and let 51, 52, 53, $1, Sr € 

S and e € E be such that row(s;) = row(s; © s2), row(s,) = row(s2° s3), and 
row(s; ° 53)(e) A row(s; © 8,)(e). Suppose row(s; » s3)(e) A b, with b be the 
result of a membership query on s4 9 52°83. Then ejO v s3] distinguishes the 
previously equal rows row(s1 © s2) and row(s;), so adding it to E creates a 
closedness defect. The fact that row(s; ° s2) cannot remain equal to another 
row than row(s;) is a result of the sharpness invariant. 
Alternatively, row(s; ° s3)(e) = b means row(s, © s,)(e) Æ b, for otherwise 
we would contradict row(s; ° s3)(e) # row(s1 9 sr)(e). For similar reasons 
the context e[s; v O] in this case distinguishes the previously equal rows 
row(s; © s2) and row(s,), creating a closedness defect. 

— A compatibility defect results in the identification of a counterexample, the 
handling of which we discuss next. 
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— Whenever a counterexample is identified, we eventually find a context c, 
s € S, and t E€ S+ \ S such that row(t) = row(s) and cft] € £ => cfs] g £. 
Thus, adding c to E creates a closedness defect. 


Termination of HANDLECOUNTEREXAMPLE follows: the first two recursive 
calls in the procedure replace z with strict subpomsets of z, whereas the last one 
replaces z with an element of S*, so no further recursion will happen. 


Query Complexity. We determine upper bounds on the membership and equiva- 
lence query numbers of a run of the algorithm in terms of the size of the canonical 
pomset recogniser n = | Mp |, the size of the alphabet k = |X|, and the maximum 
number of operations (from {-, ||}, used to compose alphabet symbols) m found 
in a counterexample. We note that since the number of distinct rows indexed by 
S is bounded by n and the table remains sharp throughout any run, the final 
size of S is at most n. Thus, the final size of S* is in O(n? + k). Given the 
initialisation of S with a single element, the number of closedness defects fixed 
throughout a run is at most n — 1. This means that the total number of asso- 
ciativity defects fixed and counterexamples handled (including those resulting 
from compatibility defects) together is n — 1. We can already conclude that the 
number of equivalence queries posed is bounded by n. Moreover, we know that 
the final table will have at most n columns, and therefore the total number of 
cells in that table will be in O(n? + kn). 

The number of membership queries posed during a run of the algorithm is 
given by the number of cells in the table plus the number of queries needed 
during the processing of counterexamples. Consider the counterexample z that 
contains the maximum number of operations among those encountered during 
a run. The first two recursive calls of HANDLECOUNTEREXAMPLE break down 
one operation, whereas the third is used to execute a base case making two 
membership queries and does not lead to any further recursion. The number 
of membership queries made starting from a given counterexample is thus in 
O(m). This means the total number of membership queries during the processing 
of counterexamples is in O(mn), from which we conclude that the number of 
membership queries posed during a run is in O(n? + mn + kn). 


3.4 Minimality of Hypotheses 


In this section we will show that all hypotheses submitted by the algorithm to 
the teacher are minimal. We first need to define what minimality means. As is 
the case for DFAs, it is the combination of an absence of unreachable states and 
of every state exhibiting its own distinct behaviour. 


Definition 28 (Minimality). A pomset recogniser R = (M,©,0,1,i,F) is 
minimal if it is reachable and for all u,v € SP with i#(u) # i#(v) there exists 
c E PC such that clu] E€ Lr <=> clu] g Lr. 


Before proving the main result of this section, we need the following: 
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Lemma 29. For all pomset recognisers (M,©,0,1,i,F) and u,v € SP such 
that i#(u) = i#(v) we have for any c € PC that i#(c[u]) = i#(cfv]). 


The minimality theorem below relies on table compatibility, which allows us 
to distinguish the behaviour of states based on the contents of their rows. Note 
that the algorithm only submits a hypothesis in an equivalence query if that 
hypothesis is compatible with its table. 


Theorem 30 (Minimality of hypotheses). A closed, consistent, and as- 
sociative observation (S, E) induces a minimal hypothesis if the hypothesis is 
compatible with its table. 


Proof. We obtain the hypothesis from Lemma 14. Since S is subpomset-closed, 
we have by Lemma 24 that the hypothesis is reachable. Moreover, for every s € S 
we have iz*(s) = row(s). Consider ui, ug € SP such that ig*(u1) 4 ip*(ug). 
Then there exist s1, s2 € S such that row(s1) = ip’ (u1) and row(s2) = iz (u2), 
and we have row(s1) Æ row(s2). Let e € E be such that row(sı)(e) 4 row(s2)(e). 
We have 


in*(elui]) € Fu 4> in*(e[si]) € Fu (Lemma 29) 
<> eļsı] E Ly 
<> row(sı)(e)=1 
<=> row(s2)(e)=0 
<> els2|] g Lu 
<=> in*(e[s2]) ¢ Fu 
<=> in*(elua]) ¢ Fu. (Lemma 29) 


As a corollary, we find that the canonical pomset recogniser is minimal. 


Proposition 31. The canonical pomset recogniser is minimal. 


4 Conversion to Pomset Automata 


Bimonoids are a useful representation of pomset languages because sequential 
and parallel composition are on an equal footing; in the case of the learning al- 
gorithm of the previous section, this helps us treat both operations similarly. On 
the other hand, the behaviour of a program is usually thought of as a series of 
actions, some of which involve launching two or more threads that later combine. 
Here, sequential actions form the basic unit of computation, while fork/join pat- 
terns of threads are specified separately. Pomset automata [22] encode this more 
asymmetric model: they can be thought of as non-deterministic finite automata 
with an additional transition type that brokers forking and joining threads. 

In this section, we show how to convert a pomset recogniser to a certain 
type of pomset automaton, where acceptance of a pomset is guided by its struc- 
ture; conversely, we show that each of the pomset automata in this class can 
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be represented by a pomset recogniser. Together with the previous section, this 
establishes that the languages of pomset automata in this class are learnable. 

If S is a set, we write M(S) for the set of finite multisets over S. A finite 
multiset over S is written ¢ = {s1,...,5n}. 


Definition 32 (Pomset automata). A pomset automaton (PA) is a tuple 
A = (QT; F, ô, y) where 


— Q is a set of states, with I, F C Q the initial and accepting states, and 
— 6:Qx X — 2@ the sequential transition function, and 
— y: Q x M(Q) > 2° the parallel transition function. 


Lastly, for every q € Q there are finitely many ¢ E€ M(Q) such that y(q,¢) 49. 


A finite PA can be represented graphically: every state is drawn as a vertex, 
with accepting states doubly circled and initial states pointed out by an arrow, 
while 6-transitions are represented by labelled edges, and y-transitions are drawn 
as a multi-ended edge. For instance, in Figure 1a, we have drawn a PA with states 
qo through gs with qs accepting, and qı € ô(qo,a) (among other 6-transitions), 
while the multi-ended edge represents that q2 € y(q1, q3, q4Ẹ}), i.e., q2 can launch 
threads starting in q3 and q4, which, upon termination, resume in q2. 


(a) A simple PA. (b) A non-saturated PA. 


Fig. 1: Some pomset automata. 


The sequential transition function is interpreted as in non-deterministic finite 
automata: if q' € 6(q, a), then a machine in state q may transition to state q’ after 
performing the action a. The intuition to the parallel transition function is that 
if d € y(q, {ri,---; Tn), then a machine in state q may launch threads starting 
in states rı through rn, and when each of those has terminated succesfully, 
may proceed in state q’. Note how the representation of starting states in a y- 
transition allows for the possibility of launching multiple instances of the same 
thread, and disregards their order—i.e., y(q, {r1,---,1%nb) = VG Arn,- Tif): 
This intuition is made precise through the notion of a run. 


Definition 33 (Run relation). The run relation of a PA A = (Q,1,F,6,4), 
denoted — 4, is defined as the the smallest subset of Q x SP x Q satisfying 


, VISIS n. ri tan EF aaa 
deaa dewabuoomD d'Zan 
1544 Gad q willie, |g 7, d 
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The language accepted by A is L4 = {u E€ SP : Jq € I, q' € F. q 44 q@}. 


Example 34. If A is the PA from Figure la, we can see that q3 ?},4 qs and 


qa $ 4 qs as a result of the second rule; by the third rule, we find that qı ile AQ: 
Since q2 2% gs and qo %4 qı (again by the second rule), we can conclude 


do eoa, a qs by repeated application of the last rule. The language accepted 
by this PA is the singleton set {a - (b || c)- a}. 


In general, finite pomset automata can accept a very wide range of pomset 
languages, including all context free (pomset) languages [23]. The intuition be- 
hind this is that the mechanism of forking and joining encoded in y can be used 
to simulate a call stack. For example, the automaton in Figure 1b accepts the 
strictly context-free language (of words) {a” - b” : n € N}. It follows that PAs 
can represent strictly more pomset languages than pomset recognisers. To tame 
the expressive power of PAs at least slightly, we propose the following. 


Definition 35 (Saturation). We say that A = (Q, I, F, ô, y) is saturated when 
for all u,v € SP with u,v 41, both of the following are true: 


(i) Ifq =, 4 q, then there exists a q” € Q with q 4%, q” and q" %,, d'. 


(i) Ifq ue q', then there exist r,s E€ Q andr’, s' E€ F such that 
rien s Lys d € qla, dr, sh) 


Example 36. Returning to Figure 1, we see that the PA in Figure 1a is saturated, 
while Figure 1b is not, as a result of the run q >b, į q4, which does not admit 
an intermediate state q such that q 23, , q and q P® , qa. 


We now have everything in place to convert the encoding of a language given 
by a pomset recogniser to a pomset automaton. The idea is to represent every 
element q of the bimonoid by a state which accepts exactly the language of 
pomsets mapped to q; the transition structure is derived from the operations. 


Lemma 37. Let R = (M,©,0,1,1,F') be a pomset recogniser. We construct 
the pomset automaton A = (M, F, {1},6,7) (note: we use F as the set of initial 
states) where 5: M x X + 2™ andy: M x M(M) — 2™ are given by 


6(q,a) = {q : ila) Od =q} yla, p) = {1 :(rOr')Od =q, = {r,r'}} 
Then A is saturated, and LA = Lr. 


Example 38. Let (M,©,0,1,i,F) be the pomset recogniser from Example 7. 
The pomset automaton that arises from the construction above is partially de- 
picted in Figure 2; we have not drawn the state q1 and its incoming transitions, 
or forks into 1, to avoid clutter. In this PA, we see that, since qa © q1 = q and 
i(a) = qa, we have qı € (q,a). Furthermore, since (ph O@m)O1=qMO1=M, 
we also have 1 € y(q1, {@%; @l}). Finally, q is initial, since F = {q}. 


526 G. van Heerdt et al. 


Fig.2: Part of the PA obtained from the pomset recogniser from Example 7, 
using the construction from Lemma 37. The state q1 (which does not contribute 
to the language of the automaton) and forks into the state 1 are not pictured. 


We have thus shown that the language of any pomset recogniser can be 
accepted by a finite and saturated PA. In turn, this shows that our algorithm 
can, in principle, be adapted to work with a teacher that takes a (saturated) PA 
instead of a pomset recogniser as hypothesis, by simply converting the hypothesis 
pomset recogniser to an equivalent PA before sending it over. 

Conversely, we can show that the transition relations of a saturated PA carry 
the algebraic structure of a bimonoid, and use that to show that a language 
recognised by a saturated PA is also recognised by a bimonoid. This shows that 
our characterisation is “tight”, i.e., languages recognised by saturated PAs are 
precisely those recognised by bimonoids, and hence learnable. 


Lemma 39. Let A = (Q,I,F,ô, y) be a saturated pomset automaton. We can 
construct a pomset recogniser R = (M, ©, O, 1,i, F’), where 


M = {4,4 :u € SP} ʻa O 5a 5a m T 


i(a) = à 4 F'={4; EM: JHqEI, qg EF. q 4d} 
Now © and © are well-defined, and R is a pomset recogniser such that Lr = La. 


If A is finite, then so is R, since each of the elements of M is a relation on 
Q, and there are finitely many relations on a finite set. 

In general, the PA obtained from a pomset recogniser may admit runs where 
the same fork transition is nested repeatedly. Recognisable pomset languages 
of bounded width may be recognised by a pomset recogniser that is depth- 
nilpotent [28], which can be converted into a fork-acyclic PA by way of an 
sr-expression [28,22]. However, this detour via sr-expressions is not necessary: 
one can adapt Lemma 37 to produce a fork-acyclic PA, when given a depth- 
nilpotent pomset recogniser. The details are discussed in the full version [15]. 

We conclude this section by remarking that the minimal pomset recogniser for 
a bounded-width language is necessarily depth-nilpotent [28]; since our algorithm 
produces a minimal pomset recogniser, this means that we can also produce a 
fork-acyclic PA after learning a bounded-width recognisable pomset language. 


5 Discussion 


To learn DFAs, there are several alternatives to the observation table data struc- 
ture that reduce the space complexity of the algorithm. Most notable is the clas- 
sification tree [25], which distinguishes individual pairs of words (which for us 
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would be pomsets) at every node rather than filling an entire row for each of 
them. The TTT algorithm [19] further builds on this and achieves optimal space 
complexity. Given that we developed the first learning algorithm for pomset lan- 
guages, we opted for the simplicity of the observation table—optimisations such 
as those analogous to the aforementioned work are left to future research. 


We would like to extend our algorithm to learn recognisers based on arbitrary 
algebraic theories. One challenge is to ensure that the equations of the theory 
hold for hypotheses, by generalising our definition of associativity (Definition 13). 


Our algorithm can also be specialised to learn languages recognised by com- 
mutative monoids. These languages of multisets can alternatively be represented 
as semi-linear sets [30] or described using Presburger arithmetic [11]. While not 
all languages described this way are recognisable (for instance, the set of multi- 
sets over X = {a,b} with as many a’s as b’s [28]), it would be interesting to be 
able to learn at least the fragment representable by commutative monoids, and 
apply that to one of the domains where semi-linear sets are used. 


Our algorithm is limited to learning languages of series-parallel pomsets; 
there exist pomsets which are not series-parallel, each of which must contain an 
“N-shape” [12,13,35]. Since N-shapes appear in pomsets that describe message 
passing between threads, we would like to be able to learn such languages as 
well. We do not see an obvious way to extend our algorithm to include these 
pomsets, but perhaps recent techniques from [10] can provide a solution. 


Every hypothesis of our algorithm can be converted to a pomset automaton. 
The final pomset recogniser for a bounded-width language is minimal, and hence 
depth-nilpotent [28], which means that it can be converted to a fork-acyclic PA. 
In future work, we would like to guarantee that the same holds for intermediate 
hypotheses when learning a bounded-width language. 


Running two threads in parallel may be implemented by running some initial 
section of those threads in parallel, followed by running the remainder of those 
threads in parallel. This interleaving is represented by the exchange law [12,13]. 
One can specialise pomset recognisers to include this interleaving to obtain recog- 
nisers of pomset languages closed under subsumption [28], i.e., such that if a 
pomset u is recognised, then so are all of the “more sequential” versions of u. 
We would like to adapt our algorithm to learn these types of recognisers, and 
exploit the extra structure provided by the exchange law to optimise further. 


We have shown that recognisable pomset languages correspond to saturated 
regular pomset languages (Lemmas 37 and 39). One question that remains is 
whether there is an algorithm that can learn all or at least a larger class of 
regular pomset languages. Given that pomset automata can accept context-free 
languages (Figure 1b), we wonder if a suitable notion of context-free grammars 
for pomset languages could be identified. Clark [6] showed that there exists 
a subclass of context-free languages that can be learned via an adaptation of 
L*. Arguably, this adaptation learns recognisers with a monoidal structure and 
reverses this structure to obtain a grammar. An extension of this work to pomset 
languages might lead to a learning algorithm that learns more PAs. 
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Abstract. We show that the formalism of “Sum-Over-Path” (SOP), 
used for symbolically representing linear maps or quantum operators, 
together with a proper rewrite system, has the structure of a dagger- 
compact PROP. Several consequences arise from this observation: 

— Morphisms of SOP are very close to the diagrams of the graphical cal- 
culus called ZH-Calculus, so we give a system of interpretation between 
the two 

— A construction, called the discard construction, can be applied to en- 
rich the formalism so that, in particular, it can represent the quantum 
measurement. 

We also enrich the rewrite system so as to get the completeness of the 
Clifford fragments of both the initial formalism and its enriched version. 


Keywords: Categorical Quantum Mechanics - Dagger-Compact PROP - Sum- 
Over-Paths - Clifford Fragment - Normal Form - Rewriting - Discard Construc- 
tion - Verification. 


1 Introduction 


The “Sum-Over-Paths” (SOP) formalism [1] was introduced in order to perform 
verification on quantum circuits. It is inspired by Feynman’s notion of path- 
integrals, and can be conceived as a discrete version of it. 

The core idea here is to represent unitary transformations in a symbolic 
way, so as to be able to simplify the term, which would for instance accelerate 
its evaluation. To do so, the formalism comes equipped with a rewrite system, 
which reduces any term into an equivalent one. 

As pure quantum circuits (which represent unitary maps) can easily be 
mapped to an SOP morphism, one can try and perform verification: given a 
specification S and another SOP morphism t obtained from a circuit supposed 
to implement the specification, we can compute the term Sot! and try to reduce 
it to the identity. In a very similar way, one can check whether two quantum 
circuits implement the same unitary map. 


* This work was made during a Postdoc funded by the project PIA-GDN/Quantex. 
Proofs can be found at arXiv:2003.05678 
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The rewrite system is known to be complete for Clifford unitary maps, i.e. in 
the Clifford fragment of quantum mechanics, the term obtained from tı o t will 
reduce to the identity iff tı and tg represent the same unitary map. Moreover, 
this reduction terminates in time polynomial in the size of the SOP term (itself 
related to the size of the quantum circuit), and still performs well outside the 
Clifford fragment. 

Lately, the SOP formalism has been used for efficient verification of optimi- 
sation strategies such as [4,12], as well as for specification of quantum circuits 
[6]. 

In this paper, we are interested in extensions of the formalism. We first focus 
on its categorical structure, and show that arbitrary terms already go beyond 
the representation of unitary maps. We then turn to extending the formalism 
to encompass mixed quantum processes. In both cases, we show a completeness 
result for their respective Clifford fragment. 

In Section 2, we explain in details the structure of ț-compact PROP, which 
we show in Section 3 to be shared by SOP. 

Because the formalism is no longer restricted to unitary maps, we argue that 
it could benefit from a slight redefinition, which is done in Section 4. 

Another “family” of categories that share this structure is the family of 
graphical languages for quantum computation: ZX-Calculus, ZW-Calculus and 
ZH-Calculus [3,7,8]. All three formalisms represent morphisms of Qubit using 
diagrams, and come with equational theories, proven to be complete for the 
whole category [3,11,19], i.e. whenever two diagrams represent the same mor- 
phism of Qubit, the first can be turned into the other using only the equational 
theory. 

In Section 5, we present interpretations between the respective Clifford frag- 
ments of the ZH-calculus and SOP, in a slightly different way than in [14,15], 
partly thanks to our redefinition of sums-over-paths. 

In Section 6, we realise that the original rewrite system of SOP is not enough 
for the completeness of the Clifford fragment of Qubit. We hence enrich the set 
of rules so as to get the completeness in this restriction. 

In Section 7, we enrich the whole formalism using the discard construction 
[5], so as to be able to represent completely positive maps, as well as the operator 
of partial trace. Again, one can consider the Clifford fragment of this formalism. 
We give a new set of rewrite rules, and show that it makes the fragment complete. 


2 Background 


2.1 PROPs and String Diagrams 


The first kind of category we will be interested in is the PROP [13,20]. A PROP 
C is a strict symmetric monoidal category (SMC) [16,18] generated by a single 
object, or equivalently, whose objects form N. Hence the morphisms of C are of 
the form f :n— m. They can be composed sequentially (. o.) or in parallel 
(.®.), and they satisfy the following axioms: 


fo(goh)=(fog)oh fO(G@h)=(f®g)@h 
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(fo° fi) 8 (g2 0 g1) = (f2°g2) 0 (fi 8 g1) 


The category is also equipped with a particular family of morphisms opm : 
n+m—>m-+n. Intuitively, these allow morphisms to swap places. They satisfy 
additional axioms: 


On, m+p = (idm, 8 On, p) © (On,m Q idp) nimo = (np B idm) odn Emp) 


Om.n © On,m = tdn+m (idp Q f) © On, p = am p © (f ® idp) 


2.2 f-Compact PROPs 


Some PROPs can have additional structure, such as a compact-closed structure, 
or a }-functor. 

A t-PROP C is a PROP together with an involutive, identity-on-objects 
functor (.)' : C°P — C compatible with (. & .). That is, for every morphism 
f: n — m, there is a morphism ft : m —> n such that ftt = f. It behaves with 
the compositions by (f og)' = gt o fi and (f 8 g)t = fi @g'. Finally, we have 
Ol aes = Oni 

A f-compact PROP has two particular families of morphisms: nn : 0 —> 2n 
and en : 2n + 0. These are dual by the }-functor: nt = en. They satisfy the 
following axioms: 


(En Q idn) © (idn ® Mn) = idn = (idn ® En) © (n 8 idn) 
Onn O2 n = n Mn+m = (idr ® On,m ® idm) O (Mn & Nm) 


In this context, one can define the transpose operator of a morphism f as: 
fÉ := (em Q idn) © (idm Q f Q idn) © (idm Q Nm) 


One can check that, thanks to the axioms of t-compact PROP, (f o g) = 
Gof, (8g) = f'g, and f*= f. 

We can then compose (.)t and (.)': (.) := (.)". Again using the axioms of 
f-compact PROP, one can check that (.)' = (.)'. 


2.3 Example: Qubit 


The usual example of a strict symmetric {-compact monoidal category is FHilb, 
the category whose objects are finite dimensional Hilbert spaces, and whose 
morphisms are linear maps between them. It is not, however, a PROP, as it is 
not generated by a single object. 

One subcategory of FHilb that is a PROP, though, is Qubit, the sub- 
category of FHilb generated by the object C?, considered as the object 1. A 
morphism f : n — m of Qubit is hence a linear map from C?” to C2”. (.0.) is 
then the usual composition of linear maps, and (.®.) is the usual tensor product 
of linear maps. One can check that the first set of axioms is satisfied. 
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This is not enough to conclude that Qubit is a PROP. We still need to define 
a family of morphisms n,m. In the Dirac notation, given a basis B of C?, we 


can define On,m aS On,m := ye ly, xXx, y|. One can then check that all 
(x,y)EBr x Bm 
the axioms of PROPs are satisfied. 
Qubit is not only a PROP, but also j-compact. Indeed, first, given a mor- 


phism: 
f= So azylyXzl 
(w,y)€B” x B™ 
we can define its dagger ft := 5 Gay |\xy|, which is the usual defini- 


(w,y)€B” x B™ 
tion of the dagger for linear maps. 


Its compact structure can be given by mm := >> |a#,«), which implies en = 
xeB” 
ni. = >> (æ,x|. One can check that all the axioms of {-compact PROPs are 
xeBr 
satisfied. 


Since Qubit is t-compact, we can define the transpose (.)’ which happens to 
be the usual transpose of linear maps, and the conjugate (.), which again is the 
usual conjugation in linear maps over C. 

There is a subcategory of Qubit that is of importance: Stab. It is the small- 
est {-compact subcategory of Qubit (the compact structure is preserved) that 


contains: 


| 
2 
> 
t 


- H:= za (10X0| + [0X1] + [1X0] — 1X1) :1 > 1 
— S:= [0X0] +i |1X1| : 1 — 1 
| 


00)(00| + [01X01] + |10X10]| — [11X11] : 2 > 2 


3 The Category SOP 


3.1 SOP as a PROP 


The point of the Sum-Over-Paths formalism [1], is to symbolically manipulate 
morphisms written in a form akin to the Dirac notation. Reasoning on symbolic 
terms allow us to detect where a term can be simplified to a “smaller” one, or 
to give a specification on a term. 

A morphism of the category will be of the form: 


|z) s XO e%*P(@¥) Q(x, y)) where: 
yevVve 


— g£ = T1,..., Zn is the input signature, it is a list of variables 

V is a set of variables (hence y is a collection of these variables) 

— P is a multivariate polynomial, instantiated by the variables x and y 

— Q=Q1,...,Qm is the output signature, it is a multivariate, multivalued 
boolean polynomial 

— s is a real scalar 
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We may denote V; a subset of the variables V used in f. Then by default, if Vy 
and V; are used in the same term, we consider that Vp N V} = Ø. To distinguish 
the two sum operators (the one in P and the one in Q), we can denote the 
one in the output signature Q as ®. Moreover, it will sometimes be necessary 
to immerse one of the boolean polynomials Q; in the e polynomial P. We hence 
define Q; inductively as = x for a variable x, pq = pq and p OG q=pt+q-2pq. 


Definition 1 (SOP). SOP is defined as the PROP where, given a set of vari- 
ables V: 


— Identity morphisms are idn : |x) > |x) 
— Morphisms f :n— m are of the form f : |æ) =s Y e%™P@4) |Q(a, y)) 
yev® 
where s € R, {x € V”, PER[X,..., Xn+x]/(1, X? — X;), 
and Q = (Fol, wae Xna)” 
— Composition is obtained as 
f 0.9 = æg) > spsg Z PAPET Qies Q) 
ysEV; f 
yg eVa? 
— Tensor product is obtained as 
f Qg := |E f£g) = sfsg X e” Pot Pt) Q;Q) 
yseV;! 
yeva? 
The symmetric braiding is Onm : |£1, £2) > |£2, £1) 


The polynomial P is called the phase polynomial, as it appears in the mor- 
phism in e?’*-. Because of this, we consider the polynomial modulo 1. We also 
consider the polynomial quotiented by X? — X for all its variables X, as these 
variables are to be evaluated in {0,1}, so we consider X? = X. 

Notice that the definition of the identities does not directly fit the descrip- 
tion of the morphisms. However, we can rewrite it as |æ) => |æ) = |x) => 
1 $ e”™ |x). Hence, when we sum over a single element, we may forget the 

yevVve 
sum operator, and when the phase polynomial is 0, we may not write it. Notice 
by the way that ido = |) +> |). Indeed, |) is absolutely valid, it represents an 
empty register. 


Example 1. We can give the SOP version of the usual quantum gates: 
Rz(a) := |x) = e% |x 
z(a) = |x) In) CNot := |z1, £2) +> primes 
H =la) D e? Jy) 2 
ge v2 Ç Y CZ := |z1, £2) e ee a * |x1, £2) 
Example 2. Let us derive the operation (id & H) o CNot: 


(id ® H) o CNot 
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1 ae 
= | |r1, £2) > — eee |z1, y) | © | £1, £2) > |£1, 21022) 
V2 


1 . _ (z1+22—27172)y 
= |en ga) > oD) e AE ey) 


v2 yEV 
a, 
where z1 + £2 — 2£1£2 = T1 È T2. 


The previous definition contains a claim: that SOP is a PROP. To be so, 
one has to check all the axioms of PROPs. One has to be careful when doing so. 
Indeed, the sequential composition (. o.) induces a substitution. Hence, one has 
to check all the axioms in the presence of a “context”, that is, one has to show 
that the axioms can be applied locally. 

If an axiom states tı — t2, one should ideally check that Ao (id, t1 @ id) © 
B-~ Ao (idn ® t2 ® idm) o B for any “before” morphism B and any “after” 
morphism A. However, this can be easily reduced to checking that A o tı o B > 
Aot,oB. 

In the case of the axioms of PROPs, this can further be reduced to show- 
ing the axioms without context, as neither idn nor On,m introduce variables or 
phases. For the other axioms, however, the context will have to be taken into ac- 
count. A fairly straightforward but tedious verification gives that, indeed, SOP 
is a PROP. 


3.2 From SOP to Qubit 


To check the soundness of what we are going to do in the following, it may be 
interesting to have a way of interpreting morphisms of SOP as morphisms of 
Qubit. 


Definition 2. The functor |.] : SOP — Qubit is defined as being identity on 
objects, and such that 


lay os So PO Qay = 8 SD PO Q(@,y)\Xa 


yevk (w,y)E {0,1} x {0,1} * 


Example 3. The interpretation of H is as intended the Hadamard gate: 


1 in =. 
[H] = 5 ye" wel= 
x,yE{0,1} 


1 
Va (100| + [0X1] + [1X0] = [1X11 


Proposition 1. The interpretation [.] is a PROP-functor, meaning: 


Dlo Js Hel WELS ISHS #9 [onm] = n,m 
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3.3 SOP as a j-Compact PROP 


Towards a Compact Structure. It is tempting to try and adapt the compact 
structure of Qubit to SOP. To do so, we can first define 7, := |) X |y,y). 


yev” 
However, we cannot as easily define en. To do so, we need to put the phase 
: go BL yteoy 
polynomial to use: €n := |æ1, %2) > ge D enaA |), 
yeVvr 


One can easily check that [en] = en. We can also easily check that the 
axioms of t-compact PROP where e„ does not appear, such as On,n © m = Nn 
and (idn ® On,m Q idm) © (Mm 8 Nm) = Nn+m are satisfied. 

However, the equation (en Q idn) o (idn @ Mn) = idn = (idn Q En) © (Mn Q idn) 
is not satisfied, as: 


Din Ma Mi Y2 
5 e lyi) A idn 


Yi y2EV” 


(€n ® idn) © (idn @ Mn) = |£} => 


NI = 


The fact that we have (en ® idn) © (idn ® m) Æ idn while its interpretation 
in Qubit holds, hints at a way to rewrite the first term as the second. 


An Equational Theory. A rewrite strategy is given in [1], and we show in 
Figure 1 the rules we are going to use in the paper. Each rewrite rule contains a 
condition, which usually ensures that a variable (the one we want to get rid of) 
does not appear in some polynomials. We hence use Var as the operator that 
gets all the variables from a sequence of polynomials. For simplicity, the input 
signature is omitted, as well as the parameters in the polynomials. 


2inP 2inP P 
e — o 2 e Elim 
2 Q Dea Q) 2 Q) (Elim) 
Y y\ {yo} 
yea Q) — 2 Te 2iz(R|u-02]) eweg (HE) 
A yo¢Var(R,Q2,Q) y\{yo-vo} 
yo ¢Var(Q2) 
a a ae 2+R) IQ) 4 V2 Se 2in( (4-402 +R) Q) (w) 
yo €Var(Q2,R,Q) 
7 y\ {yo} 


Fig. 1. Rewrite strategy ae 
lif 


cit denotes the rewrite system formed by the three rules (Elim), (HH) and 


(w). =. is the transitive closure of the rewrite system. Notice that all the rules 
1 
remove at least one variable from the morphism, so we know a terminates. 
ih 


When the rules are not oriented, we get an equivalence relation on the mor- 
phisms of SOP. We denote this equivalence fee 


lif 


538 R. Vilmart 


We denote SOP/ oe the category SOP quotiented by the equivalence rela- 


tion ~. 
lif 


It is to be noticed that: 


Proposition 2. For any rule r of and tı, t2 E SOP: 
i 


Aot,oB—+ AotzoB for all A and B composable 


ti —> t3 => 
amg a ASt QB — AQt: QB forall A and B 


This obviously generalises to aS 
ut 


This result allows us to forget about the context in the rewriting process. 
The newly obtained category SOP / a is still a PROP. It even has a compact 


if 
structure, as the last necessary axiom is now derivable: 


1 - yi y2 | TY 
(€8 id) 0(id@ n) = lo) D PR Iy) a la) > fe) = ed 
y1,y2EV 


and similarly for (id @ €) o (n Q id) = id. 


t-Functor for SOP. To show that SOP/ aA is f-compact, we lack a notion 


of ț-functor SOP. 
Remember that we defined (.) as (.)". Since we have a compact structure, we 


can already define the functor (.)’. Thanks to the new equivalence relation a 
1 


t 
this functor is involutive. Hence, we have (.)t = (.) . An appropriate definition 
of the conjugation can be given: 


Definition 3. The conjugation is defined as: 


lar) = sp D> eP: Qi) := |æ) = ss $ ea Qp) 


By combination of (.)! this gives a definition of (.)'. These three functors are 
the expected ones: 


Proposition 3. [()'J=(]', [O] =O. [O= 
We can finally prove the wanted result: 


Theorem 1. SOP/ a is a t-compact PROP. 
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4 Redefinition of SOP 


In Qubit, and hence in SOP, because the strutures are t-compact, it may feel 
unnatural to have an asymmetry between inputs and outputs of the process. 
Why not have morphisms of the form f = s>, e”? |O\I|? In this case, we 
have to change the definition of the composition, which has for consequence 
that the SOP morphisms do not form a category. However, it is a category 
when quotiented by Ge This is the reason why we did not define SOP like 


l 
this at first, although it greatly simplifies the notions of compact structure and 
f-functor. 
We now redefine SOP, and will use this new definition in the rest of the 
paper: 


Definition 4 (SOP). We redefine SOP as the collection of objects N and mor- 
phisms between them: 


— Identity morphisms are idn: X, |yXyl 
yeVvr 
— Morphisms f : n > m are of the form f :s Y eP) |O(y)\(I(y)| where 
eve 
SE R, Pe R[X1,...,Xz]/(1, X? = Xi), O E (F2[X1,...,Xx])”” and I € 
(Eo[X1,..., Xa)” 


or ; ‘ Ss 2in( P; pe sir *) 
— Composition is obtained as fog := =-5 X e |O; XI; 
altr| ute 
yev™ 


— Tensor product is obtained as f Q g := 8f8q wa er (Pat Ps) |O; OII] 


— The symmetric braiding is Onm = >> ee 
Y1,Y2 
— The compact structure is mm = 2 ly, yX| and en = 2 Xy, y| 


— The t-functor is given by: ft := ae |IXO| 


— The functor [.] is defined as: [f]:=s X eP% |O(y)\I(y)| 
ye{0,1}* 


yit tue 


As announced, this is not a category, as ido id = ae an ¥ |yoyi| A 
>, |\yXy| = id. This problem is solved by reintroducing the rewrite rules, adapted 
to the new formalism. In the following, references to the rewrite rules are to their 
adapted version. 

The results given for the previous formalisation can easily be adapted. In 
particular: 


Proposition 4. SOP/ ae is a t-compact PROP, and [.] is a t-compact PROP- 
functor. 
Remark 1. When building a SOP-morphism ¢ from a circuit (or a diagram as 


we will show in the following) in this formalism, provided the complexity of the 
gates is bounded (e.g. in the gateset (H, Rz(a), CNot )), the resulting t is always 
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of size O(d x n) where n is the size of the register, and d the depth of the circuit 
(and for a diagram in O(G x a) where G is the number of generators and a the 
maximum arity of these generators). This contrasts with the first definition of 
SOP, where the size of the constructed SOP term gets exponential in general. 


5 SOP and Graphical Languages 


The sum-over-paths formalism was initially intended to be used for isometries. 
As such, it was given a weak form of completeness — as we will discuss in the next 
section. However, if transforming a quantum circuit — that describes an isometry 
— into an SOP morphism is easy, the converse, transforming a SOP morphism 
into a circuit is not. And actually, all SOP morphisms do not represent an 
isometry. For instance, the morphism €; described above is not an isometry. An 
even smaller example is >7, |)(y| which is a valid SOP morphism, but clearly 
does not represent an isometry. 

Monoidal categories, and subsequently PROPs, have the benefit of having a 
nice graphical representation, using string diagrams. The fact that SOP is one 
hints at another (family) of language(s) more suited for representing it: the Z*- 
Calculi: ZX, ZW and ZH [7,8,10,3]. These are all t-compact graphical languages, 
that have an interpretation in Qubit, and are universal for Qubit. This means 
that any morphism of Qubit can be represented as a morphism of either of these 
3 languages. 

The language that happens to be the closest to SOP is the ZH-Calculus. 
This is the one we are going to present in the following. However, bear in mind 
that, as we have semantics-preserving functors between any two of these three 
languages, one can do the same work with ZX and ZW-Calculi. 

The link between the sum-over-paths formalism and the ZH-Calculus was first 
shown in [14,15]. We give here a slightly different but equivalent presentation, 
that in particular uses the fact that we altered the formalism of SOP, and we 
will focus this presentation to the Clifford fragment, as it is sufficient for the 
scope of the present article, although a more general presentation could be given 
(see the previous two references, or the longer version of the present article). 


5.1 The Cliffrord Fragment of the ZH-Calculus 


ZH cir is a PROP whose morphisms are composed (sequentially (. o .) or in 


parallel (.®.)) from the generators ‘x ell! 5 a and [s] ; where a € $Z 


and s € (V2,et3) the multiplicative group freely generated by v2 and ett. 
ZH cir is made a t-compact PROP, which means it also has the symmetric 
n m 


oe nm n 
, the compact structure (mm o LINN En tt aL 
n n 


and a {-functor (.)' : ZH; > ZH cue. 


structure On m :: 
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For convenience, we define two additional spiders: 
ca sds aaa 


and - Z= 


NIe 


Nie 


The full language comes with a way of interpreting the morphisms as mor- 
phisms of Qubit, and whose restriction to ZHcii¢ maps to Stab. The standard 
interpretation [.] : ZHciig — Stab is a t-compact-PROP-functor, defined as: 


[=| = Jo" yon] + [1X1], | | = eval, 


[SA] -+e =s 
Notice that we used the same symbol for two different functors: the two inter- 
pretations |.] : SOP —> Qubit and [.] : ZHcyt — Stab. It should be clear from 
the context which one is to be used. 

The language is universal for Stab: 


Proposition 5. [.] : ZHcis > Stab is onto, i.e. 


Vif E€ Stab, ADs E€ ZH cir, [Dz] = f 


Since it is not a 1-to-1 correspondence, the language comes with an equational 
theory, which in particular gives the axioms for a t-compact PROP. We will not 
present it here. 


5.2 From ZH cue to SOP 


We show in this section how any ZHcii¢ morphism can be turned into a SOP 
morphism in a way that preserves the semantics. We define [.]°°? : ZHoir > 
SOP as the j-compact PROP-functor such that: 


x| = $ lu YKY y | B = Y eA Iyoy] 


Yo,yı 


- sop : a : 
| ii | = oeni ly) | fpe? J7 = p% e?it ar |X] for pet E(V2,e' 2) 
Y ( 


This interpretation can be extended to the full graphical language. It preserves 
the semantics: 


Proposition 6. [|[.]J°®] = [.]. 


5.3 The Clifford Fragment of SOP 


Since ZHc¢ is universal for Stab, the Clifford fragment of Qubit, and since 
we have an interpretation [.}°°? : ZHcir + SOP that preserves the semantics, 
we can define SOP cir as the the image of ZHqii¢ by [.]. This gives a charac- 
terisation of the fragment: 
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Definition 5. SOPcis is the subPROP of SOP with the same objects, and 
1 inl 2 pO 41 pO). 1 pl) 
whose morphisms are of the form —+ erin (gPO+EP +5P™) ECV T| where 
oa JOXI] 


P© is a polynomial with integer coefficients of degree at most i (hence P© is 
in fact merely an integer); and where all the O; and I; are linear. 


It is an easy check that [ZHcur] P? C SOPcir, so SOPciz has enough 
morphisms to describe the Clifford fragment of quantum computing. We can 
even show it exactly captures it. To do so, we introduce an interpretation from 
SOP cit back to ZH cir. 


5.4 From SOP cir to ZHcisr 


We define Jj” : SOP cis > ZHosit on arbitrary SOP cyf morphisms as: 


ZH 
n] = 


y 


where the row of Z-spiders represents the variables y1,..., yx. 
The inputs of O; are linked to y1,..., Yk. The nodes O; can be inductively 


defined as: g a n z 
Pa Yip 
D = i Ly 


Notice that we did not define how to interpret a product Q,Q2. This can 
be done for the interpretation of the full SOP category, but it is unnecessary 
for SOP cit where the O; are linear. The nodes J; are defined similarly, but 
upside-down. The node P can be inductively defined as: 


bed 


Yj 


= orolero Yy = = 


The obtained diagram can then be reduced using usual rules of ZH. 
The system of interpretations is close to preserving the structure of the terms: 


ee Nile 


Proposition 7. : 
Clif 
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Corollary 1. [[.]7"] = [. 


This result allows us to prove SOP cp does capture the Clifford fragment of 
quantum mechanics: 


Proposition 8. [.] : SOPcis¢ —> Stab, the restriction of the standard interpre- 
tation to SOP qir is onto Stab. 


6 A Complete Rewrite System for Clifford 


In [1], where the rewrite rules are introduced, the author gives a notion of com- 
pleteness for Clifford unitaries, that we will refer to in the following as “weak 
completeness” : 


Proposition 9 (Weak Completeness for Clifford Unitaries). Given two 
terms tı, t2 of SOP cir such that |ti] © AN = id = AN o [t:i], we have: 


tot >id 4> ft]= lt] 
Clif 


In practice, this is sufficient for deciding the equivalence of two Clifford quan- 
tum circuits, as they are represented as unitary morphisms of SOP qr. However, 
in our case, where we deal with more than unitaries, we cannot use this trick. 
Instead, we aim at a result like “ty = t +> te [ti] = [t2]”. In other 
words, we want a rewrite system that will transform any term of SOP qr into 
a unique normal form. However, the rewrite system T is not enough for this: 

1 


Lemma 1. — is not confluent in SOP qi. 
Clif 


To address this problem, we propose to add three rewrite rules to the previ- 
ously presented ones. These new rewrite rules are shown in Figure 2. 


NT P01, ..., yo ® Ol, «a, Om I| — Y e7 (Poo) (ONTI) [yo + Oi] (ket) 
—_” 
Oi yo¢Var(O}j,..., O;-1,0%) A O40 


Soe?) OY, yo B Hy o Im| — Yo (Plo “Fl) (COXI) lyo i] (bra) 
Ne yau 
Ii yo¢Var(O,I1,.-Ii—1,14) A I4#0 
yo 
2) J0, ...,0)(0,...,0] (Z) 


3 y 2in( 
(R40 or OIZ0) A yo¢Var(R,O,I) J 


sX e7 CR) JOXI] 


Fig. 2. Together with those of = these rules constitute the rewrite system a ; 
li i 


The last rule (Z) describes what happens for a term that represents the 
linear map 0. Rule (bra) is simply the continuation of (ket). They explain how 
to operate suitable changes of variables. 
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Proposition 10. The rewrite system ed terminates. 
if 


Not only does this rewrite system terminate, it is confluent in SOP qs and 


the induced equivalence relation ae is complete for Clifford. The plan to prove 
if+ 


this is by showing that any morphism of SOP cii reduces to a normal form that 
is unique, up to a-conversion (upcoming Thm. 2). To get there, we first need a 
few intermediary results. 


Lemma 2. Any morphism of SOP cit reduces by ae to a morphism of the 
if+ 


orm Sa y e mE OXI| where: 


— Var(P) C Var(O, I) or P = } where yo ¢ Var(O, I) 
either yk or 
-0:i= ice p cyy where c, cy € {0,1} 
yEVar(O1,...,Oi—1) 
either yg or 
-h= c p Cyy where c, cy € {0,1} 
yEVar(O,I1,...,li—1) 
To start with, we deal with the case where the term represents the null map. 


Proposition 11. Lett be a morphism of SOP cir such that [t] = 0. Then: 


t ae e'™ > |0, ..., 0X0, ..., 0| 
Yo 


Corollary 2. If a morphism t = Fr S e™P \OVT| of SOP ci is irreducible 


such that Var(P) C Var(O, T), then [t] 4 0. 


Before moving on to the completeness by normal forms theorem, we need a 
result for the uniqueness of the phase polynomial: 


Lemma 3. Let P, and P be two polynomials of R[X,,..., X}]/(1, X? — X). We 
have (Va € {0,1}*, Pi(a) = Po(x)) => (P, = Po) 


Theorem 2. Let tı, and tz be two morphisms of SOP cit such that [ti] = [te]. 

Then, there exists t in SOP qt such that tı a oe t2, up to a-conversion. 
Clif+  Clif+ 

This result is not totally surprising, since, as exposed by [15], the rules of a 

a 


are generalisations of the so-called pivoting and local complementation which can 

be used to reduce any Clifford ZX (or ZH)-diagram into a pseudo-normal form 

[9,2] there, a diagram can have several different but equivalent pseudo-normal 

form. The rules introduced to get cm are simply here to further rewrite terms 
I 


in pseudo-normal form into terms in proper (unique) normal form. 
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Corollary 3. The equality of morphisms in SOP qi / ae is decidable in time 
if+ 


polynomial in the size of the phase polynomial and in the combined size of the 
ket/bra polynomials. 


Although the set of rules is confluent in SOP qr, it is not in SOP: 


Lemma 4 (Non-confluence). The rewrite systems — and —>» are not con- 


Clif Clif+ 
fluent in SOP. 


7 SOP with Discards 


We want in this section to extend SOP to be able to express the larger formalism 
of mixed quantum operators. The discard construction can be used for that 
purpose, as well as for extending the rewrite system for the Clifford fragment. 
We finally leverage the previous completeness theorem to get a similar result in 
this extension. 


7.1 The Discard Construction on SOP 


In [5], a construction is given to extend any {-compact PROP for pure quantum 
mechanics to another t-compact PROP for quantum mechanics with environ- 
ment. This new formalism can also be understood as the previous one, but where 
on top of it, one can discard the qubits. Because SOP fits the requirements, the 
construction can be applied to it. 

First, we have to create the subcategory SOP;,. of SOP that contains all 
its isometries. The objects of the new category are the same, and its morphisms 
are {f € SOP | [ft o fl = id}. 

These are important, as the isometries are exactly the pure quantum oper- 
ators that can be discarded. The next step in the construction does just that. 
We perform the affine completion of SOP;jiso, that is, for every object n, we add 
a new morphism !,, : n — 0, and we impose that !o f =! for any f in the new 
category, that we denote SOP; We also need to impose that !,@!n =!n+m 
and lo = ido. 

Finally, the category SOP = is obtained as the following pushout in the cate- 


SOPs. —— SOP 
gory of SMCs, where the arrows are the inclusion functors: | | 
SOP; „ —> SOP * 
We write the new morphisms in the form s 5 e”TP U) |CO(y))!D(y) (I(y)| 


EVF 
where the additional D is a set of TEE S polynomials of Fə. The fact 
that it is a set, and not a list, already captures some rules on the discard: first 
permuting qubits and then discarding them is equivalent to discarding them 
right away. Similarly, copying data and discarding the copies is equivalent to 
discarding the data right away. 
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Pure morphisms are those such that D = {}. In those, no qubits are dis- 
carded. We hence easily induce usual morphisms such as H and CZ in the new 
formalism. 

The new morphisms !,, are given by: !, := » fyi... 5 Unt Yi ies Uni 

evn 

In the new formalism, the compositions are obiad exactly like previously, 
where the resulting set of discarded polynomial is the union of the other two. 

It might be useful to be able to give an interpretation to the morphisms of the 
new formalism. To do so, we use the CPM construction [17] to map morphisms 
of SOP = to morphisms of SOP. 


Definition 6. The map CPM: SOP = — SOP is defined as: 


sX e"? OD (I| 4 


S in i 5 Ply)-yt P(y2)-y 
a SS ees ) |O(y1), O(y2)KI(a1), F(a)! 


We can now define a standard interpretation of SOP = -morphisms as: 
Definition 7. The standard interpretation |.] of SOP= is defined as |.] := 
[CPM(.)]. 

Again, it is easy to transform any morphism of SOP = in ZH= and vice- 
versa: 

ZH 


s X PO OUD EWI] = 


yevVve 


and [-L]*°? =. 


7.2 SOP with Discards for Clifford 


The discard construction can be applied to the subcategory SOP cii. We end 
up with a new category SOP Gip, such that the following diagram, whose arrows 
are inclusions, commutes: | SOP cj; —> SOP 


| 


SOP ii —> SOP + 


Following the characterisation of SOP cif morphisms, we determine that all the 


morphisms of SOP; are of the form: Ay D) e” (GPO FAP +2P™) OID (T| 


where p € Z, where P is a polynomial with integer coefficients and of degree 
at most 7, and where the polynomials of O, D and T are linear. 

The rewrite system presented previously can obviously be adapted to the 
new formalism (when there is a substitution, it has to be applied in !D as well). 
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On top of that, the condition that makes SOP},, terminal can be translated 
as a meta rule which sadly is not easy to apply. Thankfully, the last part of 
[5] is devoted to showing that this big meta rule can sometimes be replaced by 
a few small ones. The idea is that, in some cases (in particular in the Clifford 
fragment), all the isometries can be generated from a finite set of generators. In 
particular, it is enough to impose the following equations: 


&=1 holft)=1 o=! hoS=l loo CZ =! 


Based on this, we can give an updated set of rewrite rules fit for the introduction 
of — . Due to the size of this rewrite system, we do not provide it here, but it 
can be found in the extended version of this paper. The rewrite system is denoted 


—> and induces a equivalence relation ~ . Notice that we can extend CPM 
Clif + Clif + 
to CPM:SOP=/ ~ -—SOP/ ~ , which makes it a functor. 
Clif + Clif+ 


Proposition 12. The rewrite system —> terminates. 
Clif + 


We aim to prove a similar result to that of the — -free Clifford fragment, that 
is that the new rewrite system rewrites any morphism of the Clifford fragment 
into a unique normal form. The idea here it to make use of the previous result. 


Lemma 5. Any non-null morphism of SOP Gi¢ can be reduced to: 


1 in( 2 p® 1 p(2) 
ae Le (2PM) +3P(4.94)) Oly, ya)) {ya} L(y, ya)|_ where: 
Y:Ya 


— polynomials of O and I are linear 

the set of discarded polynomials is reduced to a set of variables {ya} 
— P™ and P®) have no constants 

— no monomial of P®) uses only variables of ya 

_ {ya} Cc =o I) 

— Var(P™, P®)) C Var(O, I, D) or P = £ with yo ¢ Var(O, I, D). 


Corollary 4. Any morphism of SOP Gj, eventually reduces to a morphism of 
the form given in Lem. 5. 


Lemma 6. Any morphism t of SOPG,, such that [t] = 0 reduces to: 
Y e772) J0,- OH} (0,01 
Yo 


Corollary 5. If t € SOP; is terminal with Var(P) C Var(O, D,I), then 
[ £0. 

Definition 8. We define SOP Gj; as the set of morphisms of SOP Gj. in the 
form given in Lem. 5. We define the function F on SOPG,, such that, for any 


1 ) ana 
VP 5 e?TPlya) Oly, ya)) Hya} Uly, ya)| of SOP Sie: 
ULUd 


morphism t = 
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This new functor F can be seen as a simplified CPM construction, applicable 
only for terms that are already simplified (in the form of Lem. 5). 


Proposition 13. For any t € SOP Sig; i) CPM(t). 
This implies | F(.)] = [CPM(.)]. 


Definition 9. We define a function G on some morphisms of SOP qr that have 
an appropriate form. Let t = aa Ly e2P 101, O2XI1, I2| with |O1| = |O2| 
and |I| = |I2|. Let us partition y into: {ya} := {y} \ Var(O1 $ O2, Iı I2), 
{ya} := Var(O1, T1) \ {ya} and {y2} := (tut \ turd) \ {Ya}. Hf lyi] = [y2] and 
if there exists a unique bijection ô : {y2} —> {y1} such that: 

(O71 $ O2, Iı $ I2)[y2 — 5(y2)| = 0, then G(t) is defined, and: 


G(t) := T X eir Pneu iw O Hya} (Lol )[y1+0][y2+8(y2)] 


Y15Ud 


The function G is designed to be an inverse of F for morphisms where it is 
defined, while at the same being impervious to some rewrite rules. 


Proposition 14. Let t be terminal with —+ , and t' such that F(t) or t 
Clif = if + 


Then, G(F(t)) and G(t') exist, and G(F(t)) = - Gt’). 


Theorem 3. Lett and tz be two morphisms of SOP &;, such that [tı] = [tə]. 
Ift, and t} are terminal such that ti — t, andtz — th, then t, = t, up 
Clif + Clif + 


to a-conversion. 


Remark 2. Interestingly, the previous proposition and theorem show that the 
simplification of a term of SOP Gj, can be operated in the “pure” setting, and 
then G can be used to retrieve the normal form. 


Corollary 6. The equality of morphisms in SOP &;¢/ a is decidable in time 


polynomial in the size of the phase polynomial and in the ‘combined size of the 
ket/bra/discarded polynomials. 
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Abstract. The classical van Benthem theorem characterizes modal logic 
as the bisimulation-invariant fragment of first-order logic; put differently, 
modal logic is as expressive as full first-order logic on bisimulation- 
invariant properties. This result has recently been extended to two 
flavours of quantitative modal logic, viz. fuzzy modal logic and prob- 
abilistic modal logic. In both cases, the quantitative van Benthem the- 
orem states that every formula in the respective quantitative variant 
of first-order logic that is bisimulation-invariant, in the sense of being 
nonexpansive w.r.t. behavioural distance, can be approximated by quan- 
titative modal formulae of bounded rank. In the present paper, we unify 
and generalize these results in three directions: We lift them to full coal- 
gebraic generality, thus covering a wide range of system types includ- 
ing, besides fuzzy and probabilistic transition systems as in the existing 
examples, e.g. also metric transition systems; and we generalize from 
real-valued to quantale-valued behavioural distances, e.g. nondetermin- 
istic behavioural distances on metric transition systems; and we remove 
the symmetry assumption on behavioural distances, thus covering also 
quantitative notions of simulation. 


Keywords: Modal logic - Quantale - Fuzzy logic - Coalgebra - Be- 
havioural distance - Modal characterization. 


1 Introduction 


Modal logic takes part of its popularity from the fact that it specifies transi- 
tion systems at what for many purposes may be regarded as the right level of 
granularity; that is, it is invariant under the standard process-theoretic notion of 
bisimulation in the sense that bisimilar states satisfy the same modal formulae. 
There are two quite different well-known converses to this elementary property, 
which both witness the expressiveness of modal logic: By the Hennessy-Milner 
theorem [29], states in finitely branching systems that satisfy the same modal 
formulae are bisimilar, and by the van Benthem theorem, every first-order de- 
finable bisimulation-invariant property is expressible by a modal formula. Since 
modal logic embeds into first-order logic, the latter result may be phrased as say- 
ing that modal logic is the bisimulation-invariant fragment of first-order logic. 


* Work of both authors forms part of the DFG project Probabilistic description logics 
as a fragment of probabilistic first-order logic (SCHR, 1118/6-2) 
© The Author(s) 2021 


S. Kiefer and C. Tasson (Eds.): FOSSACS 2021, LNCS 12650, pp. 551-571, 2021. 
https: //doi.org/10.1007/978-3-030-71995-1_28 
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In the two-valued setting, there has been increased recent interest in variants 
and generalizations of this result (e.g. [54,14,52,22,55,1]) 

For quantitative systems, it has long been realized (e.g. [26,15,10]) that quan- 
titative notions of process equivalence, generally referred to as behavioural met- 
rics (although they are in general only pseudometrics, as distinct but equivalent 
states have distance zero), are often more appropriate than two-valued bisim- 
ilarity. In particular, while two-valued notions of process equivalence just flag 
small deviations between systems as inequivalence, behavioural metrics can pro- 
vide more fine-grained information on the degree of similarity of systems. Be- 
havioural metrics are correspondingly used, e.g., in verification [25], differential 
privacy [13], and conformance testing of hybrid systems [36]. 


In the same way that two-valued modal logic constitutes a natural speci- 
fication language for two-valued transition systems, quantitative systems cor- 
relate to quantitative modal logics. In this context, bisimulation invariance is 
read as nonexpansiveness w.r.t. behavioural distance, i.e. two states differ on a 
modal formula at most by their behavioural distance; we refer to this property 
as behavioural nonexpansiveness. Notably, van Breugel and Worrell [10] prove 
a Hennessy-Milner type theorem for a quantitative probabilistic modal logic: 
They show that on compact state spaces, the formulae of the logic lie dense 
in the space of behaviourally nonexpansive state properties, which implies that 
behavioural distance and logical distance coincide. 


In the present paper, we are mainly interested in the other converse to be- 
havioural nonexpansiveness, i.e. in quantitative van Benthem theorems. In pre- 
vious work with Pattinson and Konig, we have established such theorems for 
quantitative modal logics of fuzzy [57] and probabilistic [58] transition systems. 
In the quantitative setting, these theorems take the form of approximability 
properties, and state that every behaviourally nonexpansive quantitative first- 
order property is approximable by quantitative modal formulae of bounded rank. 
The latter qualification is in fact the key content of the respective theorems — 
without it, approximability is closer in flavour to Hennessy-Milner-type theo- 
rems, which apply to arbitrary rather than just first-order definable properties 
(although one should note additionally that our van Benthem theorems do not 
assume compactness of the state space). 


Our present contribution is to unify and generalize these results in three di- 
rections: First, we allow for full coalgebraic generality, i.e. we cover system types 
subsumed under the paradigm of universal coalgebra [49]. Besides the fuzzy and 
probabilistic systems featuring in the previous concrete instances of our result, 
this includes a wide range of weighted, game-based, and preferential systems; for 
illustration, we concentrate on the (comparatively simple) case of metric tran- 
sition systems [3,20] in the presentation. Second, we generalize from real-valued 
to quantale-valued metrics (e.g. [24,33]). Using the unit interval quantale, we 
recover our previous results on real-valued logics as special cases. Beyond this, 
quantales in particular provide support for what may be termed metrics with 
effects; we illustrate this on a notion of conver-nondeterministic behavioural dis- 
tance on metric transition systems, where the behavioural distance gives an 
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interval of possible real-valued distances. Lastly, we remove the assumption that 
distances need to be symmetric, so that we cover also notions of quantitative 
simulation. At this level of generality, we prove both a Hennessy-Milner type 
theorem stating coincidence of logical and behavioural distance, effectively gen- 
eralizing the existing coalgebraic quantitative Hennessy-Milner theorem [37] to 
quantale-valued distances; and, as our main result, a quantitative van Benthem 
theorem stating that all behaviourally non-expansive first-order properties can 
be modally approximated in bounded rank. 


Related Work There is a substantial body of work on two-valued modal charac- 
terization theorems, e.g. for logics with frame conditions [14], coalgebraic modal 
logics [52], fragments of XPath [12,22,1], neighbourhood logic [28], modal logic 
with team semantics [38], modal p-calculi (within monadic second order log- 
ics) [85,19], PDL (within weak chain logic) [11], modal first-order logics [6,54], 
and two-dimensional modal logics with an S5-modality [55]. We are not aware of 
quantitative modal characterization theorems other than the mentioned ones for 
fuzzy and probabilistic modal logics [57,58]. Prior to the quantitative Hennessy- 
Milner theorems mentioned above [10,37], Hennessy-Milner theorems have been 
established for two-valued logics and two-valued bisimilarity over quantitative 
systems, e.g. on probabilistic transition systems [39,16,17]. There is work on 
Hennessy-Milner theorems for certain Heyting-valued modal logics [21,18]; since 
Heyting algebras are quantales but often fail to meet a continuity assumption 
needed in our generic Hennessy-Milner theorem, we do not claim to subsume 
these results. 


2 Preliminaries 


We briefly recall basic definitions and examples on quantales and universal coal- 
gebra, and fix some data needed throughout the paper. We need some elementary 
category theory, see, e.g., [2]. 


Quantales are order-algebraic structures that serve as objects of truth values 
in suitable multi-valued logics, and also support a useful notion of generalized 
(pseudo-)metric space (e.g. [24,33,32]). Our arguments will rely on a certain 
amount of epsilontics, and hence require more specifically the use of value quan- 
tales [24]. 

We recall some basic order and lattice theory. A complete lattice is a partially 
ordered set (V,<) having all suprema V A for A C V, equivalently all infima 
/\ A. We denote binary meets and joins by A and V, respectively. Given x,y € V, 
we say that x is well above y, and write x > y, if whenever y > AA for some 
A C V, then z > a for some a € A. A complete lattice (V,<) is completely 
distributive if all joins in V distribute over all meets, equivalently all meets 
distribute over all joins [46]. Another equivalent characterization is that (V, <) 
is completely distributive iff 


y= /{cEeVla>y} 
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for every y € V [47]. 

In the definition of value quantale, we follow Flagg [24] in dualizing the usual 
continuity condition for quantales in order to avoid having to reverse the order 
when moving between the general development and basic examples such as the 
unit interval; deviating from his terminology, we emphasize this by the prefix 
‘co-’: 

Definition 2.1 ((Value) co-quantales). A (commutative) co-quantale V is a 
complete lattice (V, <) equipped with a commutative monoid structure (0, @®) 
that is meet-continuous: 


a D Nier bi = Nier (a ® by). 


A co-quantale V is a value co-quantale [24] if 0 is the bottom element of V 
and moreover (V,<) is a value distributive lattice, i.e. a completely distributive 
complete lattice such that |V| > 1 and for all x,y € V, x,y >> Oimplies z^y > 0. 
Correspondingly, we denote the greatest element of V by 1. 


(Dually, in a quantale the operation © is required to be join-continuous.) By 
meet-continuity, we obtain a further binary operator © on a co-quantale V by 
adjunction, defined by 

acb<v if a<xb@v 


(equivalently, a © b = A{v | a < b@v}). The operator © is sometimes called the 
internal hom of V [7]. Moreover, in a value co-quantale, we have that for each 
€ > 0, there exists ô > 0 such that 2-6 :=6@6 < e [24, Theorem 2.9]. This 
allows for proofs where an error bound € > 0 needs to be split up into multiple 
smaller parts. 

A simple example of a value co-quantale is the unit interval [0,1] with the 
usual ordering, with truncated addition a @ b = min(a + b,1) as the monoid 
structure. Correspondingly, the © operation is truncated subtraction a © b = 
max(a—b,0). We have a > biff a > b. We will give further examples in Section 3. 


Universal Coalgebra serves as a unified framework for many types of state- 
based systems [49], such as nondeterministic, probabilistic, alternating, game- 
based, or weighted systems. It is based on encapsulating the system type as a 
functor T, for our purposes on the category Set of sets and functions; such a T 
assigns to each set X a set TX, thought of as a type of structured collections 
over X, and to each map f: X —> Y a map Tf: TX — TY, respecting iden- 
tities and composition. A T-coalgebra (A, a) consists of a set A of states and a 
transition map a: A — TA, thought of as assigning to each state a structured 
collection of successors. Taking T to be the covariant powerset functor P, which 
assigns to each set X its powerset PX, we obtain relational transition systems 
as T-coalgebras. As a further example, the (discrete) subdistribution functor S 
assigns to each set X the set SX of discrete probability subdistributions u on X 
(i.e. u(Xo) = u(X) < 1 for some countable subset Xo C X), and to each map 
f: X + Y the image measure function (i.e. Sf(u)(B) = u(f'[B]) for B CY). 


A Quantified Coalgebraic van Benthem Theorem 555 


S-coalgebras are probabilistic transition systems (or Markov chains) with possi- 
ble deadlock: They assign to each state a subdistribution over possible successor 
states, with the gap of the total probability to 1 interpreted as the probability 
of deadlock. Additional instances are seen in Example 4.4. For the remainder of 
the paper, we fiz a set functor T and require that TỌ is nonempty (hence our 
use of subdistributions instead of distributions in the examples). Moreover, we 
require w.l.o.g. that T is standard, i.e. preserves subset inclusions [5]. 


3 Quantale-Valued Distances and Lax Extensions 


A V-valued relation between sets A and B isa map R: A x B > V, which we 
also denote by R: A + B. For fixed A and B, we order the Y-valued relations 
between A and B pointwise: Ry < Rp — > Va € A,b € B. Ri (a,b) < Ro(a, db). 
We compose relations R: A+ B and S: B+C using the monoid operation on V: 


(R; $)(a,c) = [\{R(a,b) © S(b, c) | b € B}. 
Given a function f: A > B and e € V, the e-graph Grṣ p is the relation 


e€, if f(a) = b; 
1, otherwise. 


Gre s(a, b) = l 


We also write Gry = Gro and, in case of the identity function, Az x = Gre idx 
and Ax = ^o,x. 


Definition 3.1 (V-continuity space). Let X be a set and let d: X + X. The 
pair (X,d) is a V-continuity space [24] if d < Ax and d < d;d, or equivalently, 
if for all x,y,z € X, 
d(x,x)=0 and d(x,z) < d(x,y) @® d(y,z). 

The dual of (X, d) is the V-continuity space (X, d*) where d* (x,y) = d(y, x). The 
symmetrization of (X,d) is the space (X, d°) with d(x,y) = d(x,y) V d* (x,y). 
We say that (X,d) is symmetric if d = d*. 

Remark 3.2. Recall that omission of the metric symmetry axiom d(x,y) = 
d(y,x) is standardly designated by the prefix ‘quasi-’ and omission of the anti- 
symmetry axiom d(x,y) = 0 > x = y by the prefix ‘pseudo-’; thus, continuity 
spaces could be termed generalized pseudo-quasimetric spaces, and symmetric 


continuity spaces generalized pseudometric spaces. 


The co-quantale VY itself is made into a V-continuity space (V,dy) using the 
operator ©: 
dy(a,b) =aeb. 


For any set A, the supremum distance between V-valued maps f,g: A — V is 
d%(f,g) = V dy(f(a), g(a). 
acA 


The usual notion of nonexpansive map generalizes as expected: 
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Definition 3.3 (Nonexpansive maps). A map f: X — Y between V- 
continuity spaces (X, dı) and (Y, d2) is nonexpansive if də( f(x), f(y)) < dı (x,y) 
for all x,y € X. We denote the space of nonexpansive maps between (X, dı) and 
(Y, d2) by (X, d1) >11 (Y, d2). In the special case of nonexpansive V-valued maps 
we write Pred(X, d) = (X, d) >, (V, dy). 


Ultimately we are interested in defining and reasoning about behavioural dis- 
tances. Generally speaking, a behavioural distance is a V-continuity space de- 
fined on the carrier of a T-coalgebra a: A + TA in such a way that the be- 
haviour defined by the coalgebra map a is incorporated into the distance values 
of states in A. This is accomplished using relation liftings, which lift V-valued 
relations giving distances between states to those giving distances between suc- 
cessor structures of states. We specifically generalize the notion of nonexpansive 
lax extension [56] to the quantale-valued case: 


Definition 3.4 (Lax Extension). A nonexpansive lax extension of T is a map- 
ping L that maps V-valued relations R: Ax B > V to relations LR: TAxTB—> 
V and satisfies the following axioms: 


(L1 ) Ry < Ro = LR, < LR 
(L2) L(R;S) < LR; LS 
(L3) LGry < < Grrf 

4) 


(L LAs, A <Aera 


for all R, Rı, Ro: AH BLS: BHC,f: A> BandeeV. 


(The notion of lax extension, given by axioms (L1)-(L3), is standard, e.g. [31]; 
the axiom (L4), introduced in [56], guarantees nonexpansiveness w.r.t. the supre- 
mum metric as shown in Lemma 3.6.) 


Lemma 3.5. If L is a lax extension of T and (A,d) is a V-continuity space, 
then so is (TA, Ld). 


Lemma 3.6. If L is a nonexpansive laz extension of T, then L is in fact non- 
expansive w.r.t. the supremum metric. That is, for R, Ro: A+ B we have 
dy,(LZR1, LR2) < dý (Rı, R2). 


Proof. We have dý (R1, R2) < € = > Ri < Ro; 4e. Using (L1), (L2) and (L4), 
we have DR, = L(Ro; A.) < DRo; LAs < LR»; Ae, SO dy, (LR, LR2) < és 


For technical purposes, we will be interested in a generalized version of total 
boundedness (recall that a standard metric space is compact iff it is complete 
and totally bounded): 


Definition 3.7 (Total boundedness). Let (X,d) be a V-continuity space. 
For e€ > 0, we write B&(x) = {y € X | d(x,y) < e} for the (symmetric) ball 
of radius £ around x € X. A finite e-cover of (X,d) is a choice of finitely many 
@1,...,0n E€ X such that X = U}_, BS(a;). We say that (X, d) is totally bounded 
if X has a finite e-cover for each ¢ > 0. 
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Remark 3.8. Note that use of the symmetrization dê is essential in the above 
definition; e.g. in the unit interval, with d(x,y) = x © y, the set {y | d(0, y) < €} 
is the whole space, so 0 alone would form an e-cover of [0,1] if we replaced d° 
with d. 


Moreover, our main result involves a generalization of the standard notion of 
density: 


Definition 3.9 (Density). Let (X, d) be a Y-continuity space. A subset Y C X 
is dense if for every x € X and e€ > 0 there exists y € Y such that d(x,y) < €. 


Assumption 3.10. Throughout the paper, we fiz a value co-quantale V that is 
totally bounded as a V-continuity space. Moreover, we fix a dense subset Vo C V 
for use as a set of truth constants in the relevant logics, with a view to keeping 
the syntax countable in the central examples. (The technical development, on 
the other hand, does not require Vo to be countable, so we can always take 
Vo =V.) 


Example 3.11 ((Value) co-quantales). 


1. The set 2 = {0,1}, with 0 < 1 and with binary join as the monoid struc- 
ture, is a value co-quantale [24], and of course totally bounded. 2-Continuities d 
are just preorders, with y being above x if d(x,y) = 0 (!); symmetric 2- 
continuities are equivalence relations. Notice that 0 >> 0 in 2. The © operator is 
given byaGb=1iffa=1andb=0. 

2. The dual of every locale (e.g. [8]), in particular the set of closed subsets 
of any topological space, forms a co-quantale, with binary join as the monoid 
structure. However, locales are not in general value co-quantales. The dual (R) 
of the free locale over a set R, described as the lattice of downclosed systems of 
finite subsets of R (ordered by reverse inclusion of such set systems), does form 
a value co-quantale [24], and is totally bounded [30]. 2(R)-continuity spaces are 
known as structure spaces [30,24]. 

3. The unit interval [0,1] is totally bounded. [0,1]-Continuity spaces coin- 
cide with 1-bounded pseudo-quasimetric spaces, and symmetric [0, 1]-continuity 
spaces with 1-bounded pseudometric spaces in the standard sense (cf. Re- 
mark 3.2). 

4. Convez-nondeterministic distances: The set Z of nonempty closed subin- 
tervals (i.e. finitely generated nonempty convex subsets) of [0,1], written in the 
form [a,b] with a < b, ordered by [a,b] < [c,d] iff a < c and b < d, and 
equipped with truncated Minkowski addition |a, b] @ [c, d] = |a@c, b@d] (with © 
on [0, 1] defined as in the previous item), is a totally bounded value co-quantale. 
We write [a,b] = [a,max(a,b)]. We have [a,b] >> 0 = [0,0] iff a > 0, and 
[a,b] © [c,d] = [a © c,b © dj, again with © on [0,1] described as in the previous 
item. We can think of an Z-continuity space as assigning to each pair of points 
a nondeterministic distance, given as an interval of possible distances. 
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4 Quantale-Valued Modal and Predicate Logics 


We next introduce the main objects of study, quantale-valued coalgebraic modal 
and predicate logics. They will feature modalities interpreted using a quantitative 
version of predicate liftings [45,50,51]. Predicate liftings take their name from 
the fact that they lift predicates on a base set X to predicates on the set TX 
(where T is our globally fixed functor representing the system type according 
to Section 2). We work with V-valued predicates, which are organized in the 
contravariant V-powerset functor Q given on sets X by OX = X —> V and on 
functions f: X > Y by Of(g) = gof (that is, Q is a functor Set°? — Set where 
Set°P is the opposite category of Set). In keeping with the prevalent reading in 
fuzzy and probabilistic logics (where, typically, V = [0,1]), we read 0 € V as 
‘false’ and 1 € V as ‘true’ (opposite choices are also found in the literature, e.g. 
in modal logics for metric transition systems [3], where 0 € [0,1] is interpreted 
as ‘true’). Predicate liftings can have arbitrary finite arities [50]. For brevity, we 
restrict the presentation to unary modalities and predicate liftings; generalizing 
to higher arities requires only more indexing. 


Definition 4.1. A (V-valued) predicate lifting is a natural transformation 
A: Q —> QoT, i.e. a family of maps Ax: OX + QOTX, indexed over all sets X, 
such that Ay (f)(TA(t)) = Ax(f oh)(t) for all f: Y >V, h: X SY, te TX. 


Definition 4.2. Let be a predicate lifting. 


1. A is monotone if for all sets X and all f,g E€ QX with f < g we have 
Ax(f) < Ax(g). 

2. A is nonexpansive if for all sets X and all f,g € QX we have 
dy (Ax (f),Ax(9)) < AY (Sf, 9). 


For the remainder of the paper, we fiz a set A of monotone and nonexpansive 
predicate liftings, which, by abuse of notation, we also use as modalities in the 
syntax. A basic example is the modality of quantitative probabilistic modal 
logic [10], which denotes expected probability (in the next transition step) and 
corresponds to a predicate lifting for the (sub-)distribution functor S (Section 2); 
see Example 4.4.2 for details. The generic syntax of (V-valued) quantitative 
coalgebraic modal logic is then given by the grammar 
gpr=c|pec|yocl|pAplevye|Ap (cEV,AE A). 

The operators 6, ©, V, A denote co-quantale operations, the meaning of A is 
determined by the associated predicate lifting. As usual, the rank of a formula y 
is the maximal nesting depth of modalities A in y. We denote the set of all modal 
formulae by £4 and the set of formulae of rank at most n by LA. 

Formally, the semantics is defined by assigning to each formula y and each 
T-coalgebra a: A — TA the extension [y]a: A > V, or just [vy], of p over a, 
recursively defined by 


[v © c(a) = [y](@) Ge Iv © cla) = [y](a) © c 
lo ^v] = lp] la) ^ PI) [ev yla) = [p] (la) v [y] a) 
[c] (a) = c Del (@) = Aa(Tel)(e(@)) 
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Remark 4.3. Fuzzy logics differ widely in their interpretation of propositional 
connectives (e.g [41]). In our modal syntax, we necessarily restrict to nonexpan- 
sive operations, in order to ensure nonexpansiveness w.r.t. behavioural distance 
later; this is typical of characteristic logics for behavioural distances (such as 
quantitative probabilistic modal logic [10]). The logic hence does not include 
binary @ or © (in the above syntax, we insist that one of the arguments is a 
constant). In terminology usually applied to V = [0,1], we thus allow Zadeh 
connectives (such as V, A) but not Lukasiewicz connectives, so for V = [0,1], 
the above version of quantitative coalgebraic modal logic is essentially the Zadeh 
fragment of Lukasiewicz fuzzy coalgebraic modal logic [51]. 

The syntax does not include negation 1 © (—); if V satisfies the De Morgan 
laws (e.g. these hold in [0,1]), A is closed under duals 1 © (A(1 © (—))), and Yo 
is closed under negation (i.e. c € Vo implies 1 © c € Vo), then negation can be 
defined via negation normal forms as usual. 


As the ambient predicate logic of the above modal logic, we use (V-valued) quan- 
titative coalgebraic predicate logic, a quantitative variant of two-valued coalge- 
braic predicate logic [40]. Its syntax is given by 


gy wr=clx=y|ypec|yoc|pAY|yvy| ary | Yr. | zAfy: p] 


where c € V, A € A, and x,y come from a fixed supply Var of (individual) 
variables. The reading of «A[y: y] is the modalized truth degree (according 
to A) to which the successors y of a state x satisfy y; e.g. with > as above, 
xOly: p| is the expected truth value of y at a random successor y of x. The 
semantics over (A, œ) as above is given by V-valued maps [y]a, or just [y], that 
are defined on valuations «x: Var + A. The interesting clauses in the definition 
are 


a 


azyle) = Viena) [eyl = A lle a) 


acA acA 


[zAfy: ell) = Aa(Tel (ly => 1) lall))) 


(where «[y > a] maps y to a and otherwise behaves like «, and by [y](«[y => -]) 
we mean the predicate that maps a to [y](«[y > a])). Moreover, equality is 
crisp, i.e. [x = y] (x) is 1 if k(x) = K(y), and 0 otherwise. 


Example 4.4. We discuss some instances of the above framework. 


1. Fuzzy modal logic: Take T to be the covariant V-valued powerset functor, 
ie. TX = X > V andTf(A)(y) = V{A(2) | f(x) = y} for f : X > Y. We think 
of A € TX asa V-valued fuzzy subset of X; we say that A is crisp if A(x) € {0,1} 
for all z. Put A = {0} where 0 x(A)(B) = V{A(2)A B(x) | x € X} for A € OX, 
B € TX. Then T-coalgebras are equivalent to fuzzy Kripke frames, which consist 
of a set X and a fuzzy relation R: X x X > V, and Q is the natural fuzzification 
of the standard diamond modality. Fuzzy propositional atoms from a set At 
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can be added by passing to the functor that maps a set X to Q(At) x TX. 
Instantiating to V = [0,1], we obtain a basic modal logic of fuzzy relations, or in 
description logic terminology Zadeh fuzzy ALC [53]. The corresponding instance 
of quantitative coalgebraic predicate logic is essentially the Zadeh fragment of 
Novak’s Lukasiewicz fuzzy first order logic [43]. 

2. Probabilistic modal logic: As indicated in Section 2, coalgebras for the sub- 
distribution functor S are probabilistic transition systems (with possible dead- 
lock). We take V = [0,1] and A = {0}, interpreted by the predicate lifting 


Ox(A)(u) =E,(A) for we SX 


where E,,(A) denotes the expected value of A(x) when z is distributed according 
to u. The induced instance of quantitative coalgebraic modal logic is (quantita- 
tive) probabilistic modal logic [10], which may be seen as a quantitative variant 
of two-valued probabilistic modal logic [39], and embeds into the probabilistic u- 
calculus [34,42]. Propositional atoms are treated analogously as in the previous 
item (and indeed probabilistic modal logic is trivial without them). The ambient 
quantitative probabilistic first-order logic arising as the corresponding instance 
of quantitative coalgebraic predicate logic is a quantitative variant of Halpern’s 
type-l (i.e. statistical) probabilistic first-order logic [27]. 

3. Metric modal logic: In their simplest form, metric transition systems [3] 
are just transition systems in which states are labelled in a metric space S 
(numerous variants exist, e.g. with states themselves forming a metric space 
or with transitions labelled in a metric space [9]). We work with a generalized 
version where (S, dg) is a V-continuity space. Metric transition systems are then 
coalgebras for the functor TX given on sets by TX = S x PX. We take A = 
{O}US. We interpret A using predicate liftings 


0x(A)(s,B) =V{A(z) |@€ B}  rx(A)(s, B) = ds(s,r) 


for A € OX, (s,B) © TX, r € S. Note that r € S ignores its argument A, so is 
effectively a nullary modality. Note also that as per our interpretation of truth 
values, this nullary modality is read as distinctness from r; in case V = [0,1], 
the degree of equality to r can be expressed as 1 © r. The induced instance 
of coalgebraic modal logic is related to characteristic logics for branching-time 
behavioural distances on metric transition systems [3,9]. 

4. Conver-nondeterministic metric modal logic: We continue to consider met- 
ric transition systems as recalled in the previous item, reusing the designa- 
tors T,S,dg, and taking V = [0, 1] for simplicity. Recall the value co-quantale Z 
of nonempty closed subintervals of [0, 1] from Example 3.11.4. We turn the predi- 
cate liftings for r € S defined in the previous item into Z-valued predicate liftings 
by prolonging them along the inclusion v: [0,1]  Z, given by (a) = [a, a]. We 
define an Z-valued predicate lifting M for T, where Z is the value quantale of 
closed intervals introduced in Example 3.11.4, by 


Mx(A =[/[{m(A(2)) | z € B}, \/{72(A(a)) | £ € BY] 


where m;i: T > r h denote the evident projections 7 ([a,b]) = a, m2({a, b]) = b. 
That is, M returns the range of truth values that A takes on B. 
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5 Behavioural Distance and Quantitative Bisimulation 
Invariance 


The behavioural distance between states of a coalgebra a: A > TA is defined 
as a least fixpoint that arises from an iterative process: Initially, at depth 0, all 
states are thought of as equivalent and their distance is therefore 0. In order 
to increase the depth of the behavioural distance from n to n + 1, we lift the 
depth-n distance on A to a the set TA of successor structures. Formally, this 
is accomplished using the following quantale-valued version of the coalgebraic 
Kantorovich lifting [4,56]: 


Definition 5.1 (Kantorovich lifting). Let A and B be sets and R: A+ B. 


1. A pair (f,g) of functions f: A> V, g: B —> V is R-nonexpansive if f(a) © 
g(b) < R(a,b) for alla € A, bE B. 
2. The Kantorovich lifting of R is the relation K,(R): TA + TB given by 


K,(R)(ti, t2) = VAa) (t1) © AB(g)(t2) | à € A, (f, g) R-nonexpansive}. 


(Here, A is the set of modalities fixed in Section 4.) Generalizing [56, Theorem 
5.6], we have: 


Lemma 5.2. The Kantorovich lifting is a nonexpansive lax extension. 
Example 5.3 (Kantorovich liftings). 


1. For V = [0,1] and V-valued fuzzy modal logic with A = {0} (i.e. for 
simplicity without propositional atoms; cf. Example 4.4.1), the Kantorovich lift- 
ing K4(R) of a Y-valued relation R: X + Y coincides with an asymmetric gen- 
eralized Hausdorff lifting; i.e. 


Ka(R)(4,B)= V A (A(z) © BYy)) V (Ala) A R(@, y))) 


xEX yeY 


fr A € TX = X + V, B € TY. (Obtaining a similar description 
for general V remains an open problem.) In particular, on crisp sets A, B, 
the symmetrization K,(R)* is the usual Hausdorff lifting K4(R)'(A, B) = 
max(V 4()<1 Axpy)=1 R(x, y), V B(y)=1 Na(e)=1 R(z, y)). 

2. For probabilistic modal logic (Example 4.4.2), the restriction of K4 to 
distributions coincides, by definition, with the usual (symmetric) Kantorovich- 
Wasserstein lifting (e.g. [10]). On subdistributions, one obtains an asymmetric 
variant, whose symmetrization then coincides with the standard one. 

3. For Y-valued metric modal logic (Example 4.4.3), with A = {O}US, we 
similarly obtain a V-valued (asymmetric) Hausdorff distance 


Ka(R)((s, A), (t, B)) =d(s,t)v V A Ræv) 
xzEAyEB 


n (s, A) E€ TX = S x P(X), (t,B) € TY, and R: X + Y; a characterization 
that in this case holds for unrestricted V. 
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4. Convez-nondeterministic metric modal logic: The Z-valued Kantorovich 
lifting induced by the set A = {M }US of modalities on metric transition systems, 
with notation as in Examples 3.11.4 and 4.4.4, is given by 


Ka(R)((s, A), (t, B)) = e(d(s, t))V 
[Veg Neca mı(R(z, y)), Vea Nye Tə(R(z, y))] 


on (s, A) ETX = Sx P(X), (t, B) € TY, and R: X +Y (recall that the 7; are 
the projections Z —> [0,1], and :: [0,1] + Z denotes the evident injection). 


? 


For purposes of lifting V-continuity structures as relations, nonexpansive pairs 
can be replaced with the more familiar notion of nonexpansive map: 


Lemma 5.4. Let (A,d) be a V-continuity space and let (f, g) be d-nonexpansive. 
Put h(b) = Vaca f(a) © d(a,b). Then f < h < g and h € Pred(A, d). 


By monotonicity of predicate liftings we get the following alternative formulation 
for the Kantorovich lifting of a V-continuity structure: 


Lemma 5.5. Let (A,d) be V-continuity space. Then for all tı, t2 € TA 
K4 (d) (tı, t2) = \/{Aa(h) (ta) © Aa (h) (t2) | A € A, h € Pred(A, d)}. 


Using the Kantorovich lifting, we can now define a sequence of behavioural 
distances between states a,b in a T-coalgebras a: A> TA, 8: B —> TB: 


do (a,b) =0 diy, (a,b) = Kalda )(a(a), B(b)) di (a,b) = V dž (a,b). 
nw 
By general fixed point theory, the continuation of this ordinal-indexed sequence 
past w eventually stabilizes, that is, there exists some ordinal y such that d% 41 = 
dar . The arising least fixed point is the unbounded behavioural distance d* , 
alternatively given by 


dK = \{d| d= K,4(d)o (ax B)}. 


These behavioural distances lead to an appropriate generalization of the notion 
of bisimulation invariance. A family f of V-valued predicates fa indexed over 
T-coalgebras a: A — TA — such as the extension of a modal formula or of 
a first-order formula with a single free variable — is said to be behaviourally 
nonexpansive if it is nonexpansive with respect to behavioural distance d*, i.e. 
if for all coalgebras a: A> TA,8: B —> TB and alla € A,b € B, 


fala) © fa(b) < d* (a,b). (1) 


Similarly, f is depth-n behaviourally nonexpansive for finite depth n if f is non- 
expansive with respect to depth-n behavioural distance d*. 

To match these notions to the classical setting, consider the binary co- 
quantale 2. In the general case, the above notion of behavioural nonexpansive- 
ness should then be thought of as preservation under simulation: States a, b have 
(asymmetric) distance 0 if b simulates a, and in this case, (1) stipulates that if f 
is true at a, then f is also true at b. 
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Example 5.6. The behavioural distance arising from the Kantorovich lifting of 
metric modal logic (Example 5.3.3) is a simulation distance. The value d* (a,b) 
quantifies the degree to which traces starting at b simulate traces starting at a, 
where the distance from one trace to another is the supremum over the distances 
at all time steps. 


On the other hand, there are many cases where the behavioural distance d” is 
symmetric. If V = [0,1] and the set A is closed under duals (Remark 4.3), then 
we have that Ky(R*) = K,(R)* for all R and therefore d% is symmetric [56]. 
Concretely, if we put Ox(A) =1060x(16 A), then in the case of fuzzy modal 
logic (Example 4.4.1) we have Ox (A)(B) = A{(1© B(a2)) V A(z) | a € X} and 
in the case of probabilistic modal logic (Example 4.4.2) we have Ox (A)(p) = 
iu(A) 6 (16 u(X)), and in both cases A = {0,0} yields a symmetric distance. 

In these symmetric cases distance 0 determines a notion of bisimilarity, and 
behavioural nonexpansiveness amounts to the standard notion of bisimulation 
invariance. Thus, the following straightforward lemma generalizes both bisimu- 
lation invariance of modal logic and preservation of positive modal logic (with 
only diamond modalities) under simulation: 


Lemma 5.7. All modal formulae are behaviourally nonexpansive, and all modal 
formulae of rank at most n are depth-n behaviourally nonexpansive. 


As expected, coalgebra morphisms preserve behaviour on the nose: 


Lemma 5.8. Leta: A> TA and 8: B > TB be coalgebras and h: A> Ba 
coalgebra morphism, that is Thow = Boh. Then d*8(a,h(a)) = 0 for alla € A. 


Another way to define distances between states of a coalgebra is in terms of the 
modal formulae: 


Definition 5.9 (Logical distance). Let a,b be states in coalgebras a: A > 
TA, 8: B+ TB. We define 


d(a,b) = Vilella) © lel) |e € £ 
d* (a,b) = Víly] (a) © IpI) | y € £44 


The relationship between fixpoint-based distances d* and logical distances d” is 
at the heart of the study of behavioural nonexpansiveness and modal expressive- 
ness. For instance, Lemma 5.7 can equivalently be expressed by the inequalities 
d} < d* and d} < d*,n < w. In Section 6, we investigate the converse inequal- 
ities. 


6 Modal Approximation 


We now establish our first contribution, a quantitative coalgebraic Hennessy- 
Milner theorem. To this end, we first need to pin down the exact relationship of 
the two families of distances at finite depth. 
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Theorem 6.1. Let the set A of monotone and nonexpansive predicate liftings 
from Section 4 be finite and let (A, a) be a coalgebra. For all n < w: 


1. We have dk = d} =: dn 
2. The space (A, dn) is totally bounded. 
3. The set LA is a dense subset of Pred(A, d). 


Remark 6.2. The need for assuming that the set A of modalities is finite is 
specific to quantitative Hennessy-Milner theorems (and implicitly present also 
in the existing [0, 1]-valued version of the theorem [37]), and not needed in the 
two-valued case [45,50]. It relates to the total boundedness claim in Theorem 6.1, 
and features also in the van Benthem theorem, where in fact it is needed also 
in the two-valued case [52]; indeed, proofs of the original van Benthem theorem 
start by assuming, in that case w.l.o.g., that there are only finitely many propo- 
sitional atoms and relational modalities. In our running examples, only the ones 
featuring metric transition systems are affected by this assumption; indeed, for 
our theorems to apply to such systems, the space of labels needs to be finite. 


Theorem 6.1 is proven by induction on n and most of Section 6 is devoted to 
the inductive step (the base case n = 0 is immediate from df = di = 0). We 
fix a coalgebra a: A > TA and an integer n > 1 and assume as the inductive 
hypothesis that the three items of Theorem 6.1 have already been proven for all 
m < n. We show Item 1 in Lemma 6.3, Item 2 in Lemma 6.6, and Item 3 in 
Lemma 6.7. 


Lemma 6.3. We have dk = dł on A. 


Proof (sketch). We use the alternative formula for the Kantorovich lifting as 
given in Lemma 5.5. By Item 3 of the inductive hypothesis, and because the 
predicate liftings are nonexpansive, the maps A(f) oa with f € Pred(A,dp_1) 
can be approximated using formula expansions [AW] with y € £4_,. 


Having shown that d = dł, from now on we simply use d, to denote both. 
To show that dn is totally bounded, we make use of the following version of the 
Arzela-Ascoli theorem [23, Theorem 4.13]. 


Lemma 6.4 (Arzela-Ascoli). Let (X,dı) and (Y,dz2) be totally bounded V- 
continuity spaces. Then the space (X,d,) >, (Y, d2) is also totally bounded. 


Using Lemma 6.4, we show that the Kantorovich lifting preserves total bound- 
edness; this generalizes a previous result for the case V = [0,1] [37, Proposition 
29], which in turn generalizes [57, Lemma 5.6]. 


Lemma 6.5. If the set A of predicate liftings is finite and (X,d) is a totally 
bounded V-continuity space, then (TX, K4(d)) is totally bounded. 


The following is now an easy consequence: 


Lemma 6.6. The space (A,d,) is totally bounded. 
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Finally, we show that the modal formulae up to depth n form a dense subspace 
of the space of all nonexpansive properties: 


Lemma 6.7. Let f € Pred(A, dn) be a nonexpansive map and let € > 0. Then 
there exists some modal formula p € LA such that dy,*(f,[y]) < €. 


n 


Proof (sketch). We use the fact that for all x,y € A 


F) = Nyea dnl, 9) ® FY) = Apea Vreca DIE) © hI) e F). 


The latter term can be approximated using formulae of £4, where the infimum 


over y and the supremum over y are made finite using -covers of A and LA. 


Having shown that behavioural distance and logical distance coincide at all fi- 
nite depths, we are now equipped to prove our first main result, a version of the 
Hennessy-Milner theorem stating that behavioural distance and logical distance 
coincide not only at finite depths (Theorem 6.1.1), but in fact also at unbounded 
depth. In general, this equivalence of distances can only be expected to hold if 
the functor T in question is finitary, or admits approximation by a finitary sub- 
functor [56]. The functor T is finitary if for all sets X and all t € TX there exists 
a finite subset Y C X such that t = Ti(s) for some s € TY, where i: Y > X 
is set inclusion. Examples of finitary functors include the finite powerset functor 
PX ={Y C X |Y finite} and the finite subdistribution functor S,, which maps 
a set X to the set of finitely supported probability subdistributions on X. Konig 
and Mika-Michalski [37] prove a quantitative coalgebraic Hennessy-Milner the- 
orem for the case of the co-quantale [0, 1]. We generalize their result as follows: 


Definition 6.8. We say that the value co-quantale V is continuous from below 
if for every monotone increasing sequence (an)n<w in V and every £ > 0, there 


exists some n such that an Be > Vn<w an- 


This condition essentially allows the use of epsilontic arguments also for joins 
of increasing sequences, while value co-quantales in general allow this only for 
meets. It holds in all our running examples. 


Theorem 6.9 (Quantified Hennessy-Milner theorem). Let A be a finite 
set of monotone and nonexpansive predicate liftings, let T be a finitary functor 
and let V be a totally bounded value co-quantale that is continuous from below. 
Then we have d* = d¥. 


Proof (sketch). Because V is continuous from below, we have Ky(d*) = 
View Ka(di) on finite sets, and as T is finitary, this also holds for all sets. 
This implies that dk = RAR = d*, so that 


d® = Vpcu dE = Vnu de = d’. 


n<w |n n<w “n 


Besides examples already covered by the [0, 1]-valued version of the theorem [37], 
this result instantiates, e.g., to a quantitative Hennessy-Milner theorem for 
convex-nondeterministic metric modal logic (Example 4.4.4). 
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7 Locality and Modal Characterization 


We proceed to establish our main result, the quantitative coalgebraic van Ben- 
them theorem. The main tool in the proof of this result is a notion of locality, 
which characterizes formulae that only depend on the structure of the model 
in some neighbourhood of the state under consideration. This poses a challenge 
when it comes to coalgebraic models, as these need not come with a built-in 
graph structure that could be used to define what it means for two states to 
be neighbouring. To solve this, we make use of a technique based on supported 
coalgebras that has previously been used in the proof of a two-valued coalgebraic 
van Benthem theorem [52]. 

Recall from Section 2 that we assume TØ 4 Ø. We fix an element L € TỌ, 
and for each set A put La = Ti(L), where i: Ø > A is the empty map. 


Definition 7.1 (Support). Let A be a set. We say that a set B C Aisa 
support of t € TA if t € TB. A supported coalgebra is a coalgebra a: A > TA 
together with a map supp,: A + PA such that supp, (a) is a support of a(a) 
for every a € A. 


Every coalgebra can be supported because we can always put supp,,(a) = A for 
all a € A. Supporting a coalgebra equips it with a graph structure: 


Definition 7.2 (Neighbourhood). Let A = (A,a,supp,) be a supported 
coalgebra. 


1. The Gaifman graph of A is the undirected graph with vertex set A and edge 
set {{a, b} | b € supp, (a)}. 

2. For any a,b € A, the Gaifman distance Dsupp (a,b) is the least number of 
steps to get from a to b in the Gaifman graph (or oo, if no path from a to b 
exists). 

3. The radius-k neighbourhood of a state a € A is the set U*(a) = {b € A | 
Decor (@;0) < k}. 


For any k < w and any state a in a supported coalgebra A = (A,a,supp,), 
we can define a supported coalgebra A* = (U® (a), a}, suppax) on the radius- 
k neighbourhood of a. The coalgebra map a*: UF(a) — T(U*(a)) is given 
by a*(b) = a(b) if supp,(b) C U*(a) and a*(b) = La otherwise. We note 
that the latter case only occurs for states on the edge of U*(a), that is when 
Dsupp (a,b) = k. Note that L4 has empty support by construction, so that we 
can put supp,«(b) = Ø in this latter case and supp,«(b) = supp, (b) otherwise. 

Using the neighbourhood around a state and the coalgebra structure defined 
on it, we can now define our notion of locality: 


Definition 7.3. A formula ¢ is k-local if we have [y]a(a) = lylar(a) for all 
supported coalgebras A = (A, aœ, suppa) and all a € A. 


Lemma 7.4. For every supported coalgebra A = (A,a,supp,), k < w anda € 
A, we have a (a, a) =0, where the first a lives in A and the second in AX. 
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A key step in the proof is the following locality result, which in similar form 
appears also in proofs of the classical van Benthem theorem [44], and is proved, 
in our case, by a game-theoretic method that is related to classical Ehrenfeucht- 
Fraissé games: 


Lemma 7.5. Let p(x) be a behaviourally nonexpansive formula with qr(y) < n. 
Then is k-local for k = 3”. 


Proof (sketch). Consider a spoiler-duplicator game over n rounds, where both 
players place a pebble every round and the second player needs to maintain the 
invariant that if there are m rounds remaining the radius 3™ neighbourhoods 
around the pebbles need to be isomorphic. One can show that this invariant 
guarantees equivalence on formulae of rank at most m. 

We use this game to prove for every supported coalgebra A that y has the 
same value on A and AE. Nonexpansiveness of y is used to extend the two 
coalgebras in such a way that the duplicator always has a suitable response. 


We next show that every nonexpansive formula that is local is also nonexpan- 
sive at some finite depth. We make use of an unravelling construction, where a 
coalgebra is enlarged so that the successors of every state in the unravelling (as 
given by the support relation) form a tree. 


Definition 7.6 (Unravelling). The unravelling of a supported coalgebra 
A = (A,a,supp,) is the supported coalgebra A* = (At,a*,supp,.), where 
At is the set of nonempty sequences over A and for a...an E At we 
have a*(a1...dn) = Tf(a(an)) and suppa (a1 ...an) = f[supp,(an)], where 
f: ASC At, am djana. 


Lemma 7.7. For every supported coalgebra A = (A, a, suppa) and everya € A, 
we have d***(a,a) = 0, where the first a lives in A and the second in A*. 


The mentioned nonexpansiveness at finite depth follows: 


Lemma 7.8. Let p be behaviourally nonexpansive and k-local. Then p is also 
depth-k behaviourally nonexpansive. 


Proof (sketch). By the assumptions on y we may pass from any supported coal- 
gebra to the radius-k neighbourhood in the unravelling, which is shaped like a 
tree of depth k. Between any two such tree structures we have di = d*, as their 
behaviour past depth k is fully characterized by the default value L € TO. 


The target result then follows by combining the above lemmas with Theorem 6.1 
and a final chain argument that allows us to detach the technical development 
from the choice of a fixed coalgebra: 


Theorem 7.9 (Quantified van Benthem theorem). Let A be a finite set 
of monotone and nonexpansive predicate liftings, let T be a standard functor 
with TÒ + Ú, and let V be a totally bounded value co-quantale. Then for ev- 
ery behaviourally nonexpansive formula p of quantitative coalgebraic predicate 
logic with quantifier rank at most n and every €e > 0 there exists a modal 
formula Y% € L^ such that for all coalgebras a: A > TA and alla € A, 
d¥,([y]Ja(a), [Y]a(a)) < £ and the modal rank of Y is bounded by 3”. 
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Proof (sketch). Using the final chain (T”1)n<w, where 1 is a singleton set, we 
can construct a coalgebra (Z,¢) such that for all (A,a) and all y,w we have 
dy” (ele We) < dy? (Lele, Ilo). 

As ọ is behaviourally nonexpansive, we get that it is also depth-k be- 
haviourally nonexpansive for k = 3%(?) by Lemmas 7.5 and 7.8, and by Theo- 
rem 6.1.3 for every £ > 0 there is y € L such that d% (fylc, Wc) < €. 


To our best knowledge, the only previously known instances of this result in the 
real-valued setting are the ones for [0, 1]-valued fuzzy modal logic [57] and for 
quantitative probabilistic modal logic [58]. In the two-valued setting, we cover a 
previous coalgebraic van Benthem result [52] by instantiating to V = 2, and in 
fact obtain an additional asymmetric version, characterizing fragments that are 
preserved under simulation. In our running examples, we obtain new concrete 
van Benthem theorems for [0, 1]-valued metric modal logic (Example 4.4.3) and 
convex-nondeterministic metric modal logic (Example 4.4.4). We cover, by de- 
fault, the asymmetric case (to be thought of as characterizing fragments that are 
preserved under quantitative simulation) and, in the cases V = [0,1] and V = 2, 
also the symmetric case (to be thought of as characterizing fragments that are 
invariant under bisimulation). 


8 Conclusions 


We have established a highly general quantitative version of van Benthem’s 
modal characterization theorem, stating that given a value quantale V that is 
totally bounded and continuous from below, all state properties, in a given type 
of quantitative systems, that are nonexpansive w.r.t. V-valued behavioural dis- 
tance and expressible in V-valued coalgebraic (first-order) predicate logic can be 
approximated by V-valued modal formulae of bounded rank. A key technical tool 
in the proof are versions of the classical Arzela-Ascoli and Stone-Weierstraß the- 
orems for totally bounded quantale-valued (pseudo-quasi-)metric spaces. Coalge- 
braic generality implies that this result not only subsumes existing quantitative 
van-Benthem type theorems for fuzzy [57] and probabilistic [58] systems, but 
we also obtain new results, e.g. for metric transition systems. Via the additional 
parametrization over a value quantale, we moreover obtain, e.g., a van Benthem 
theorem for convex-nondeterministic behavioural distance (‘states x, y have dis- 
tance between a and b’) on metric transition systems. Our result complements 
previous coalgebraic results for two-valued logics [52]. We do leave some open 
problems, in particular to determine whether the main result can be sharpened 
to exact modal expressibility instead of approximability, and to obtain a quan- 
titative modal characterization over finite models, in generalization of Rosen’s 
finite-model variant of van Benthem’s theorem [48]. 
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